This is actually a common question rather than Shiro specific. What I would like to learn is how org.apache.shiro.SecurityUtils#getSubject
is working. I have checked necessary parts of the SecurityUtils
and ThreadContext
and I am totally puzzled now. The basic way that I understand Shiro's
SecurityUtils.getSubject()
to work is that it returns the subject which is bound to the currently executing thread. Actually I was expecting something analogous to RequestLocal instead of ThreadLocal.
My questions:
How Shiro
ensures a random point of the application has the same thread as the subject creater thread to provide same Subject? (Maybe it is related to Servlet spec. Would be great pointing necessary part) Particularly I am interested in JAX-RS
.
This is the most confusing part of whole subject. How Shiro
works at Servlet 3 Container
where multiple requests are bounding to single thread?
Could someone please shed light on these questions?
Thanks
Answered in detail in this mailing list thread