Gwt is asynchronus Errai doesn't introduce that, so that should not be the problem. From the description of your shiro setup, I get that you are using shiro's session management, this is not the same as http session. Saving stuff into thread local to 'rember' the user does not work in a web container! If the load on the server gets high the web container will create more threads to help with the load, so this will result in that the user is sudenly not logged in anymore. You will need to configure shiro to use the http session.
Ah, yes. Shiros web support does use the http session (it is still a little unclear to me exactly how it uses it though), but there is a servlet filter which sets and unsets this thread local state for each request on the assumption that there is a 1-to-1 each thread handles a single request at a time. The core of shiro's access control handling is then based on the thread local state. It is made this way to not be dependent directly on a container.
The problem becomes how to make sure this state is set correctly when ErraiBus is used, since (as far as I understand) request processing does not neccessarily happen on a thread where the servlet filter has run.
I've looked a bit more, and my current idea is to make an ejb interceptor that does this, but for that I need to be able to access some of the web container things but that seems like it could be a problem given that it is a different container. Perhaps Errai has something that could help with handling this, which I haven't found yet
Right so you are using shiro web support and that does not use threat local to store session information. I have used shiro as well and had this problem so just wanted to warn you not to make the same mistake that I did. Only I just don't see why there would be a problem using this with errai if shiro is using a servlet filter then errai's bus calls will also pass through it.