This is actually a common question rather than Shiro specific. What I would like to learn is how org.apache.shiro.SecurityUtils#getSubject is working. I have checked necessary parts of the SecurityUtils and ThreadContext and I am totally puzzled now. The basic way that I understand Shiro's SecurityUtils.getSubject() to work is that it returns the subject which is bound to the currently executing thread. Actually I was expecting something analogous to RequestLocal instead of ThreadLocal.
My questions:
How Shiro ensures a random point of the application has the same thread as the subject creater thread to provide same Subject? (Maybe it is related to Servlet spec. Would be great pointing necessary part) Particularly I am interested in JAX-RS.
This is the most confusing part of whole subject. How Shiro works at Servlet 3 Container where multiple requests are bounding to single thread?
Could someone please shed light on these questions?
Thanks
Answered in detail in this mailing list thread