org.apache.shiro.mgt
Class DefaultSecurityManager

java.lang.Object
  extended by org.apache.shiro.mgt.CachingSecurityManager
      extended by org.apache.shiro.mgt.RealmSecurityManager
          extended by org.apache.shiro.mgt.AuthenticatingSecurityManager
              extended by org.apache.shiro.mgt.AuthorizingSecurityManager
                  extended by org.apache.shiro.mgt.SessionsSecurityManager
                      extended by org.apache.shiro.mgt.DefaultSecurityManager
All Implemented Interfaces:
Authenticator, Authorizer, CacheManagerAware, SecurityManager, SessionManager, Destroyable

public class DefaultSecurityManager
extends SessionsSecurityManager

The Shiro framework's default concrete implementation of the SecurityManager interface, based around a collection of Realms. This implementation delegates its authentication, authorization, and session operations to wrapped Authenticator, Authorizer, and SessionManager instances respectively via superclass implementation.

To greatly reduce and simplify configuration, this implementation (and its superclasses) will create suitable defaults for all of its required dependencies, except the required one or more Realms. Because Realm implementations usually interact with an application's data model, they are almost always application specific; you will want to specify at least one custom Realm implementation that 'knows' about your application's data/security model (via RealmSecurityManager.setRealm(org.apache.shiro.realm.Realm) or one of the overloaded constructors). All other attributes in this class hierarchy will have suitable defaults for most enterprise applications.

RememberMe notice: This class supports the ability to configure a RememberMeManager for RememberMe identity services for login/logout, BUT, a default instance will not be created for this attribute at startup.

Because RememberMe services are inherently client tier-specific and therefore aplication-dependent, if you want RememberMe services enabled, you will have to specify an instance yourself via the setRememberMeManager mutator. However if you're reading this JavaDoc with the expectation of operating in a Web environment, take a look at the org.apache.shiro.web.DefaultWebSecurityManager implementation, which does support RememberMe services by default at startup.

Since:
0.2

Field Summary
protected  RememberMeManager rememberMeManager
           
protected  SubjectDAO subjectDAO
           
protected  SubjectFactory subjectFactory
           
 
Constructor Summary
DefaultSecurityManager()
          Default no-arg constructor.
DefaultSecurityManager(Collection<Realm> realms)
          Supporting constructor for multiple realms.
DefaultSecurityManager(Realm singleRealm)
          Supporting constructor for a single-realm application.
 
Method Summary
protected  void beforeLogout(Subject subject)
           
protected  void bind(Subject subject)
          Deprecated. in favor of save(subject).
protected  SubjectContext copy(SubjectContext subjectContext)
           
protected  SessionContext createSessionContext(SubjectContext subjectContext)
           
protected  Subject createSubject(AuthenticationToken token, AuthenticationInfo info, Subject existing)
          Creates a Subject instance for the user represented by the given method arguments.
 Subject createSubject(SubjectContext subjectContext)
          This implementation functions as follows:

Ensures the SubjectContext is as populated as it can be, using heuristics to acquire data that may not have already been available to it (such as a referenced session or remembered principals). Calls doCreateSubject(org.apache.shiro.subject.SubjectContext) to actually perform the Subject instance creation. calls save(subject) to ensure the constructed Subject's state is accessible for future requests/invocations if necessary. returns the constructed Subject instance.

protected  SubjectContext createSubjectContext()
           
protected  void delete(Subject subject)
          Removes (or 'unbinds') the Subject's state from the application, typically called during logout(org.apache.shiro.subject.Subject)..
protected  Subject doCreateSubject(SubjectContext context)
          Actually creates a Subject instance by delegating to the internal subjectFactory.
protected  SubjectContext ensureSecurityManager(SubjectContext context)
          Determines if there is a SecurityManager instance in the context, and if not, adds 'this' to the context.
protected  PrincipalCollection getRememberedIdentity(SubjectContext subjectContext)
           
 RememberMeManager getRememberMeManager()
           
protected  SessionKey getSessionKey(SubjectContext context)
           
 SubjectDAO getSubjectDAO()
          Returns the SubjectDAO responsible for persisting Subject state, typically used after login or when an Subject identity is discovered (eg after RememberMe services).
 SubjectFactory getSubjectFactory()
          Returns the SubjectFactory responsible for creating Subject instances exposed to the application.
 Subject login(Subject subject, AuthenticationToken token)
          First authenticates the AuthenticationToken argument, and if successful, constructs a Subject instance representing the authenticated account's identity.
 void logout(Subject subject)
          Logs out the specified Subject from the system.
protected  void onFailedLogin(AuthenticationToken token, AuthenticationException ae, Subject subject)
           
protected  void onSuccessfulLogin(AuthenticationToken token, AuthenticationInfo info, Subject subject)
           
protected  void rememberMeFailedLogin(AuthenticationToken token, AuthenticationException ex, Subject subject)
           
protected  void rememberMeLogout(Subject subject)
           
protected  void rememberMeSuccessfulLogin(AuthenticationToken token, AuthenticationInfo info, Subject subject)
           
protected  Session resolveContextSession(SubjectContext context)
           
protected  SubjectContext resolvePrincipals(SubjectContext context)
          Attempts to resolve an identity (a PrincipalCollection) for the context using heuristics.
protected  SubjectContext resolveSession(SubjectContext context)
          Attempts to resolve any associated session based on the context and returns a context that represents this resolved Session to ensure it may be referenced if necessary by the invoked SubjectFactory that performs actual Subject construction.
protected  void save(Subject subject)
          Saves the subject's state to a persistent location for future reference if necessary.
 void setRememberMeManager(RememberMeManager rememberMeManager)
           
 void setSubjectDAO(SubjectDAO subjectDAO)
          Sets the SubjectDAO responsible for persisting Subject state, typically used after login or when an Subject identity is discovered (eg after RememberMe services).
 void setSubjectFactory(SubjectFactory subjectFactory)
          Sets the SubjectFactory responsible for creating Subject instances exposed to the application.
protected  void stopSession(Subject subject)
           
protected  void unbind(Subject subject)
          Deprecated. in Shiro 1.2 in favor of delete(org.apache.shiro.subject.Subject)
 
Methods inherited from class org.apache.shiro.mgt.SessionsSecurityManager
afterCacheManagerSet, afterSessionManagerSet, applyCacheManagerToSessionManager, destroy, getSession, getSessionManager, setSessionManager, start
 
Methods inherited from class org.apache.shiro.mgt.AuthorizingSecurityManager
afterRealmsSet, checkPermission, checkPermission, checkPermissions, checkPermissions, checkRole, checkRoles, checkRoles, getAuthorizer, hasAllRoles, hasRole, hasRoles, isPermitted, isPermitted, isPermitted, isPermitted, isPermittedAll, isPermittedAll, setAuthorizer
 
Methods inherited from class org.apache.shiro.mgt.AuthenticatingSecurityManager
authenticate, getAuthenticator, setAuthenticator
 
Methods inherited from class org.apache.shiro.mgt.RealmSecurityManager
applyCacheManagerToRealms, getRealms, setRealm, setRealms
 
Methods inherited from class org.apache.shiro.mgt.CachingSecurityManager
getCacheManager, setCacheManager
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

rememberMeManager

protected RememberMeManager rememberMeManager

subjectDAO

protected SubjectDAO subjectDAO

subjectFactory

protected SubjectFactory subjectFactory
Constructor Detail

DefaultSecurityManager

public DefaultSecurityManager()
Default no-arg constructor.


DefaultSecurityManager

public DefaultSecurityManager(Realm singleRealm)
Supporting constructor for a single-realm application.

Parameters:
singleRealm - the single realm used by this SecurityManager.

DefaultSecurityManager

public DefaultSecurityManager(Collection<Realm> realms)
Supporting constructor for multiple realms.

Parameters:
realms - the realm instances backing this SecurityManager.
Method Detail

getSubjectFactory

public SubjectFactory getSubjectFactory()
Returns the SubjectFactory responsible for creating Subject instances exposed to the application.

Returns:
the SubjectFactory responsible for creating Subject instances exposed to the application.

setSubjectFactory

public void setSubjectFactory(SubjectFactory subjectFactory)
Sets the SubjectFactory responsible for creating Subject instances exposed to the application.

Parameters:
subjectFactory - the SubjectFactory responsible for creating Subject instances exposed to the application.

getSubjectDAO

public SubjectDAO getSubjectDAO()
Returns the SubjectDAO responsible for persisting Subject state, typically used after login or when an Subject identity is discovered (eg after RememberMe services). Unless configured otherwise, the default implementation is a DefaultSubjectDAO.

Returns:
the SubjectDAO responsible for persisting Subject state, typically used after login or when an Subject identity is discovered (eg after RememberMe services).
Since:
1.2
See Also:
DefaultSubjectDAO

setSubjectDAO

public void setSubjectDAO(SubjectDAO subjectDAO)
Sets the SubjectDAO responsible for persisting Subject state, typically used after login or when an Subject identity is discovered (eg after RememberMe services). Unless configured otherwise, the default implementation is a DefaultSubjectDAO.

Parameters:
subjectDAO - the SubjectDAO responsible for persisting Subject state, typically used after login or when an Subject identity is discovered (eg after RememberMe services).
Since:
1.2
See Also:
DefaultSubjectDAO

getRememberMeManager

public RememberMeManager getRememberMeManager()

setRememberMeManager

public void setRememberMeManager(RememberMeManager rememberMeManager)

createSubjectContext

protected SubjectContext createSubjectContext()

createSubject

protected Subject createSubject(AuthenticationToken token,
                                AuthenticationInfo info,
                                Subject existing)
Creates a Subject instance for the user represented by the given method arguments.

Parameters:
token - the AuthenticationToken submitted for the successful authentication.
info - the AuthenticationInfo of a newly authenticated user.
existing - the existing Subject instance that initiated the authentication attempt
Returns:
the Subject instance that represents the context and session data for the newly authenticated subject.

bind

@Deprecated
protected void bind(Subject subject)
Deprecated. in favor of save(subject).

Binds a Subject instance created after authentication to the application for later use.

As of Shiro 1.2, this method has been deprecated in favor of save(org.apache.shiro.subject.Subject), which this implementation now calls.

Parameters:
subject - the Subject instance created after authentication to be bound to the application for later use.
See Also:
save(org.apache.shiro.subject.Subject)

rememberMeSuccessfulLogin

protected void rememberMeSuccessfulLogin(AuthenticationToken token,
                                         AuthenticationInfo info,
                                         Subject subject)

rememberMeFailedLogin

protected void rememberMeFailedLogin(AuthenticationToken token,
                                     AuthenticationException ex,
                                     Subject subject)

rememberMeLogout

protected void rememberMeLogout(Subject subject)

login

public Subject login(Subject subject,
                     AuthenticationToken token)
              throws AuthenticationException
First authenticates the AuthenticationToken argument, and if successful, constructs a Subject instance representing the authenticated account's identity.

Once constructed, the Subject instance is then bound to the application for subsequent access before being returned to the caller.

Parameters:
token - the authenticationToken to process for the login attempt.
subject - the subject against which the authentication attempt will occur
Returns:
a Subject representing the authenticated user.
Throws:
AuthenticationException - if there is a problem authenticating the specified token.

onSuccessfulLogin

protected void onSuccessfulLogin(AuthenticationToken token,
                                 AuthenticationInfo info,
                                 Subject subject)

onFailedLogin

protected void onFailedLogin(AuthenticationToken token,
                             AuthenticationException ae,
                             Subject subject)

beforeLogout

protected void beforeLogout(Subject subject)

copy

protected SubjectContext copy(SubjectContext subjectContext)

createSubject

public Subject createSubject(SubjectContext subjectContext)
This implementation functions as follows:

  1. Ensures the SubjectContext is as populated as it can be, using heuristics to acquire data that may not have already been available to it (such as a referenced session or remembered principals).
  2. Calls doCreateSubject(org.apache.shiro.subject.SubjectContext) to actually perform the Subject instance creation.
  3. calls save(subject) to ensure the constructed Subject's state is accessible for future requests/invocations if necessary.
  4. returns the constructed Subject instance.

Parameters:
subjectContext - any data needed to direct how the Subject should be constructed.
Returns:
the Subject instance reflecting the specified contextual data.
Since:
1.0
See Also:
ensureSecurityManager(org.apache.shiro.subject.SubjectContext), resolveSession(org.apache.shiro.subject.SubjectContext), resolvePrincipals(org.apache.shiro.subject.SubjectContext), doCreateSubject(org.apache.shiro.subject.SubjectContext), save(org.apache.shiro.subject.Subject)

doCreateSubject

protected Subject doCreateSubject(SubjectContext context)
Actually creates a Subject instance by delegating to the internal subjectFactory. By the time this method is invoked, all possible SubjectContext data (session, principals, et. al.) has been made accessible using all known heuristics and will be accessible to the subjectFactory via the subjectContext.resolve* methods.

Parameters:
context - the populated context (data map) to be used by the SubjectFactory when creating a Subject instance.
Returns:
a Subject instance reflecting the data in the specified SubjectContext data map.
Since:
1.2
See Also:
getSubjectFactory(), SubjectFactory.createSubject(org.apache.shiro.subject.SubjectContext)

save

protected void save(Subject subject)
Saves the subject's state to a persistent location for future reference if necessary.

This implementation merely delegates to the internal subjectDAO and calls subjectDAO.save(subject).

Parameters:
subject - the subject for which state will potentially be persisted
Since:
1.2
See Also:
SubjectDAO.save(org.apache.shiro.subject.Subject)

delete

protected void delete(Subject subject)
Removes (or 'unbinds') the Subject's state from the application, typically called during logout(org.apache.shiro.subject.Subject)..

This implementation merely delegates to the internal subjectDAO and calls delete(subject).

Parameters:
subject - the subject for which state will be removed
Since:
1.2
See Also:
SubjectDAO.delete(org.apache.shiro.subject.Subject)

ensureSecurityManager

protected SubjectContext ensureSecurityManager(SubjectContext context)
Determines if there is a SecurityManager instance in the context, and if not, adds 'this' to the context. This ensures the SubjectFactory instance will have access to a SecurityManager during Subject construction if necessary.

Parameters:
context - the subject context data that may contain a SecurityManager instance.
Returns:
The SubjectContext to use to pass to a SubjectFactory for subject creation.
Since:
1.0

resolveSession

protected SubjectContext resolveSession(SubjectContext context)
Attempts to resolve any associated session based on the context and returns a context that represents this resolved Session to ensure it may be referenced if necessary by the invoked SubjectFactory that performs actual Subject construction.

If there is a Session already in the context because that is what the caller wants to be used for Subject construction, or if no session is resolved, this method effectively does nothing returns the context method argument unaltered.

Parameters:
context - the subject context data that may resolve a Session instance.
Returns:
The context to use to pass to a SubjectFactory for subject creation.
Since:
1.0

resolveContextSession

protected Session resolveContextSession(SubjectContext context)
                                 throws InvalidSessionException
Throws:
InvalidSessionException

getSessionKey

protected SessionKey getSessionKey(SubjectContext context)

resolvePrincipals

protected SubjectContext resolvePrincipals(SubjectContext context)
Attempts to resolve an identity (a PrincipalCollection) for the context using heuristics. This implementation functions as follows:
  1. Check the context to see if it can already resolve an identity. If so, this method does nothing and returns the method argument unaltered.
  2. Check for a RememberMe identity by calling getRememberedIdentity(org.apache.shiro.subject.SubjectContext). If that method returns a non-null value, place the remembered PrincipalCollection in the context.

Parameters:
context - the subject context data that may provide (directly or indirectly through one of its values) a PrincipalCollection identity.
Returns:
The Subject context to use to pass to a SubjectFactory for subject creation.
Since:
1.0

createSessionContext

protected SessionContext createSessionContext(SubjectContext subjectContext)

logout

public void logout(Subject subject)
Description copied from interface: SecurityManager
Logs out the specified Subject from the system.

Note that most application developers should not call this method unless they have a good reason for doing so. The preferred way to logout a Subject is to call Subject.logout(), not the SecurityManager directly.

Framework developers on the other hand might find calling this method directly useful in certain cases.

Parameters:
subject - the subject to log out.

stopSession

protected void stopSession(Subject subject)

unbind

@Deprecated
protected void unbind(Subject subject)
Deprecated. in Shiro 1.2 in favor of delete(org.apache.shiro.subject.Subject)

Unbinds or removes the Subject's state from the application, typically called during logout(org.apache.shiro.subject.Subject).

This has been deprecated in Shiro 1.2 in favor of the delete method. The implementation has been updated to invoke that method.

Parameters:
subject - the subject to unbind from the application as it will no longer be used.

getRememberedIdentity

protected PrincipalCollection getRememberedIdentity(SubjectContext subjectContext)


Copyright © 2004-2012 The Apache Software Foundation. All Rights Reserved.