org.apache.shiro.mgt
Class DefaultSessionStorageEvaluator

java.lang.Object
  org.apache.shiro.mgt.DefaultSessionStorageEvaluator

All Implemented Interfaces:

SessionStorageEvaluator

public class DefaultSessionStorageEvaluator
extends Object
implements SessionStorageEvaluator

A Default SessionStorageEvaluator that provides reasonable control over if and how Sessions may be used for storing Subject state. See the isSessionStorageEnabled(org.apache.shiro.subject.Subject) method for exact behavior.

Since:

1.2

Constructor Summary

DefaultSessionStorageEvaluator()

Method Summary

boolean	isSessionStorageEnabled() Returns true if any Subject's Session may be used to persist that Subject's state, false otherwise.
boolean	isSessionStorageEnabled(Subject subject) This implementation functions as follows: If the specified Subject already has an existing Session (typically because an application developer has called subject.getSession() already), Shiro will use that existing session to store subject state. If a Subject does not yet have a Session, this implementation checks the sessionStorageEnabled property: If sessionStorageEnabled is true (the default setting), a new session may be created to persist Subject state if necessary. If sessionStorageEnabled is false, a new session will not be created to persist session state. Most applications use Sessions and are OK with the default true setting for sessionStorageEnabled.
void	setSessionStorageEnabled(boolean sessionStorageEnabled) Sets if any Subject's Session may be used to persist that Subject's state.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

DefaultSessionStorageEvaluator

public DefaultSessionStorageEvaluator()

Method Detail

isSessionStorageEnabled

public boolean isSessionStorageEnabled(Subject subject)

This implementation functions as follows:

• If the specified Subject already has an existing Session (typically because an application developer has called subject.getSession() already), Shiro will use that existing session to store subject state.
• If a Subject does not yet have a Session, this implementation checks the sessionStorageEnabled property:
  • If sessionStorageEnabled is true (the default setting), a new session may be created to persist Subject state if necessary.
  • If sessionStorageEnabled is false, a new session will not be created to persist session state.

Most applications use Sessions and are OK with the default true setting for sessionStorageEnabled.

However, if your application is a purely 100% stateless application that never uses sessions, you will want to set sessionStorageEnabled to false. Realize that a false value will ensure that any subject login only retains the authenticated identity for the duration of a request. Any other requests, invocations or messages will not be authenticated.

Specified by:

isSessionStorageEnabled in interface SessionStorageEvaluator

Parameters:

subject - the Subject for which session state persistence may be enabled

Returns:

the value of isSessionStorageEnabled() and ignores the Subject argument.

See Also:

Subject.getSession(), Subject.getSession(boolean)

isSessionStorageEnabled

public boolean isSessionStorageEnabled()

Returns true if any Subject's Session may be used to persist that Subject's state, false otherwise. The default value is true.

N.B. This is a global configuration setting; setting this value to false will disable sessions to persist Subject state for all Subjects that do not already have a Session. It should typically only be set to false for 100% stateless applications (e.g. when sessions aren't used or when remote clients authenticate on every request).

Returns:

true if any Subject's Session may be used to persist that Subject's state, false otherwise.

setSessionStorageEnabled

public void setSessionStorageEnabled(boolean sessionStorageEnabled)

Sets if any Subject's Session may be used to persist that Subject's state. The default value is true.

N.B. This is a global configuration setting; setting this value to false will disable sessions to persist Subject state for all Subjects that do not already have a Session. It should typically only be set to false for 100% stateless applications (e.g. when sessions aren't used or when remote clients authenticate on every request).

Parameters:

sessionStorageEnabled - if any Subject's Session may be used to persist that Subject's state.