5.10.4 Implementation of the session to register the successfully authenticated subject to HttpSession
The object that inherits the java.io.Serializable interface must be assigned to HttpSession. Store the Subject that inherits the java.io.Serializable interface in HttpSession instead of the LoginContext instance, which was created at the time of login. The stored Subject is necessary for logout implementation. The following shows an implementation example in which the Subject is stored in HttpSession (see the portion that is indicated in bold type and has a background color).
<%
LoginContext lc = new LoginContext("Portal",
new WebPasswordHandler(request, response, null, "login.html", true));
try {
lc.login();
session.setAttribute("ExampleSubject", lc.getSubject());
} catch (LoginException e) { ... }
%>
...To inherit the user attributes that have been associated with the Subject after login (UserAttributes) by using the session failover functionality, the Subject and the user attributes must be stored in HttpSession. The following shows an implementation example in which Subject and user attributes are stored in HttpSession (see the portion that is indicated in bold type and has a background color).
<%
LoginContext lc = new LoginContext("Portal",
new WebPasswordHandler(request, response, null, "login.html", true));
try {
lc.login();
session.setAttribute("ExampleSubject", lc.getSubject());
session.setAttribute("ExampleCredential", lc.getSubject().getPublicCredentials().iterator().next());
} catch (LoginException e) { ... }
%>
...