Authenticate Session with Apache Shiro using session ID

Question

I have a session ID cookie generated by shiro security framework and it is passed in each request . Is there any way to validate the session ID is valid with the shiro.

I am trying with below code by passing the session ID.

 Subject requestedSubject = new Subject.Builder().sessionId(sessionId).buildSubject();
 return !(requestedSubject.getSession(false) == null);

Getting the below exception

"exceptionClass": "class java.lang.IllegalArgumentException", "RESTMethod": "GET", "message": "SessionKey must be an HTTP compatible implementation.", "rootCausePointClass": "org.apache.shiro.web.session.mgt.ServletContainerSessionManager", "rootCausePointMethod": "getSession"

Anything wrong i am doing or is there any other way to validate the session ID.

Answer 1

You have not given much detail, and your exact question is a bit unclear.

Shiro manages sessions and session validation, this is built into the framework, and you ordinarilly would not need to concern yourself with the mechanics of how shiro checks/validates sessions.

One other thing that is not clear from the question is your technology stack. Is it a web application? Are there any other third party libraries, such as Spring? However here is a guide.

Be careful to note that a session (even a valid session) is not an indication that a user has logged-in or that they are authenticated.

To get the current user from shiro:

Subject currentUser = SecurityUtils.getSubject();

Then you to check whether this is a "Known" user, check that there is a non-null principal:

User user = (User) currentUser.getPrincipal();

Once again, your question is vague, but I hope that leads you in the right direction.