I'm looking for some guidelines/tips on how to implement Apache Shiro as a part of a distributed system (client-server) using Java RMI.

I've looked at the answer to this thread : How to organize RMI Client-Server architecture and I'm thinking of using something similar. What I have planned is a remote object (possibly a Singleton?) that handles the authentication when the client log in. If the log in is successful a new session-object is created. But I'm not quite sure where this object would belong and what information to store in it. Should it be passed on to the client or exists as another remote object.

I'm thinking that it should be used as some kind of session facade where each request from the client is being authorized by Shiro. I'm not sure whether it is best (and possible) to give the client a unique token/identifier that Shiro knows about and can authorized based on for each method-invocation, or to create a remote session-facade object that exists for each connection and stores the information about the current user and so forth.

Also I don't know quite how Shiro handles the Subject when used in multi-threaded application and whether either of the mentioned proposals would cause a conflict.

I'm looking forward to hear your thoughts on this - Thanks!