How to use a shiro native session in a grails web application?

Question

Currently, I am using the default HttpSession object in both controllers and gsp pages:

In controllers:

...
session.mykey = anObject;  // adding an object to session
...
if (session.otherkey) {    // performing some checking

In GSPs:

...
<g:if test="${session.mykey}">
...

I'd like to have a "remember me" functionality. Shiro has already it built in. However, as far as I understood, in order to do it I have to use the shiro native session mode (in Config.groovy: security.shiro.session.mode="native"). By default, it persists the session state, so objects will remain in the session as far as the cookie expires or the user logs off.

Is my understanding right?

Then i will have to change my controllers to this:

def shiroSession = SecurityUtils.subject.session
shiroSession.setAttribute("mykey",anObject)
....
if (shiroSession.getAttribute("otherkey") ){

And my views to this:

<g:if test="${SecurityUtils.subject.session.getAttribute('mykey')}">

So, my questions are:

• Is that right?
• Can't I just use the previous way to access the session?
• Do I have to turn off the default http session in some configuration?

Answer 1

I gave up keeping objects in the session persistently (until cookie expires). Here is what i did:

In the login method in the controller:

if (! session.currentProfile){
    Subject currentUser = SecurityUtils.getSubject()
if (currentUser.isRemembered()){
    boolean success = configureSession(session, currentUser.getPrincipal())
        if (success){
        ... 
        }
    }
    ....
}

The first "if" checks whether the session has the object i need.

The configureSession method puts in the session all information I need.