具有Shiro身份验证的REST服务器如何将给定的HTTP请求识别为给定会话的一部分
[英]How does a REST server with Shiro authentication identify a given HTTP request as being part of a given session
问题描述
In other words, if a user on a given machine makes an RESTful call to a server which logs them in, and then, subsequently, makes a separate, second call which requires them to be logged in, what component of that request identifies them as the same entity which previously had logged in? 
换句话说,如果给定计算机上的用户对服务器进行RESTful调用,然后将其登录,然后再进行另一个第二次调用(要求他们登录),则该请求的哪个组件将其标识为与先前登录的实体相同? Why, if they make the request from (for example) a different browser, are the identified as a separate entity? 如果他们从(例如)其他浏览器发出请求,为什么将其标识为单独的实体?
I know that it is the Session object which the Java code uses to hold information about the set of requests, and the Subject contains information about the user who is logged in. What I can't figure out is what mechanism Shiro uses to generate the Session object returned by .getSession(false) and the Subject returned by .getSubject(). 我知道这是Session对象,Java代码使用该对象保存有关请求集的信息,而Subject包含有关已登录用户的信息。我不知道是Shiro使用了哪种机制来生成请求。 .getSession(false)返回的会话对象,.getSubject()返回的Subject。 I assume that it's sent somewhere in the headers, but I'm not sure where. 我假设它已发送到标头中的某个位置,但是我不确定在哪里。 I feel like I'm missing something which should be obvious. 我觉得我缺少一些显而易见的东西。
1 个解决方案
解决方案1
0 2018-02-27 02:59:56
它在某种程度上取决于您如何设置Shiro,但通常取决于如何在servlet容器(Tomcat,Jetty等)上管理会话。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.