DefaultSubjectDAO (Apache Shiro

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.apache.shiro.mgt
Class DefaultSubjectDAO

java.lang.Object
  org.apache.shiro.mgt.DefaultSubjectDAO

All Implemented Interfaces:: SubjectDAO

public class DefaultSubjectDAO
extends Object
implements SubjectDAO
extends Object
implements SubjectDAO

Default SubjectDAO implementation that stores Subject state in the Subject's Session by default (but this can be disabled - see below). The Subject instance can be re-created at a later time by first acquiring the associated Session (typically from a SessionManager) via a session ID or session key and then building a Subject instance from Session attributes.

Controlling how Sessions are used

Whether or not a Subject's Session is used or not to persist its own state is controlled on a per-Subject basis as determined by the configured sessionStorageEvaluator. The default Evaluator is a DefaultSessionStorageEvaluator, which supports enabling or disabling session usage for Subject persistence at a global level for all subjects (and defaults to allowing sessions to be used).

Disabling Session Persistence Entirely

Because the default SessionStorageEvaluator instance is a DefaultSessionStorageEvaluator, you can disable Session usage for Subject state entirely by configuring that instance directly, e.g.:

     ((DefaultSessionStorageEvaluator)sessionDAO.getSessionStorageEvaluator()).setSessionStorageEnabled(false);

or, for example, in shiro.ini:

     securityManager.subjectDAO.sessionStorageEvaluator.sessionStorageEnabled = false

but note: ONLY do this your application is 100% stateless and you DO NOT need subjects to be remembered across remote invocations, or in a web environment across HTTP requests.

Supporting Both Stateful and Stateless Subject paradigms

Perhaps your application needs to support a hybrid approach of both stateful and stateless Subjects:

Stateful: Stateful subjects might represent web end-users that need their identity and authentication state to be remembered from page to page.
Stateless: Stateless subjects might represent API clients (e.g. REST clients) that authenticate on every request, and therefore don't need authentication state to be stored across requests in a session.

To support the hybrid per-Subject approach, you will need to create your own implementation of the SessionStorageEvaluator interface and configure it via the setSessionStorageEvaluator(SessionStorageEvaluator) method, or, with shiro.ini:

     myEvaluator = com.my.CustomSessionStorageEvaluator
     securityManager.subjectDAO.sessionStorageEvaluator = $myEvaluator

Unless overridden, the default evaluator is a DefaultSessionStorageEvaluator, which enables session usage for Subject state by default.

Since:: 1.2
See Also:: isSessionStorageEnabled(org.apache.shiro.subject.Subject), SessionStorageEvaluator, DefaultSessionStorageEvaluator

Constructor Summary
`DefaultSubjectDAO()`

Method Summary
`void`	`delete(Subject subject)` Removes any existing subject state from the subject's session (if the session exists).
`SessionStorageEvaluator`	`getSessionStorageEvaluator()` Returns the `SessionStorageEvaluator` that will determine if a `Subject`'s state may be persisted in the Subject's session.
`protected boolean`	`isSessionStorageEnabled(Subject subject)` Determines if the subject's session will be used to persist subject state or not.
`protected void`	`mergeAuthenticationState(Subject subject)` Merges the Subject's current authentication state with whatever may be in any available session.
`protected void`	`mergePrincipals(Subject subject)` Merges the Subject's current `Subject.getPrincipals()` with whatever may be in any available session.
`protected void`	`removeFromSession(Subject subject)` Removes any existing subject state from the Subject's session (if the session exists).
`Subject`	`save(Subject subject)` Saves the subject's state to the subject's `session` only if `sessionStorageEnabled(subject)`.
`protected void`	`saveToSession(Subject subject)` Saves the subject's state (it's principals and authentication state) to its `session`.
`void`	`setSessionStorageEvaluator(SessionStorageEvaluator sessionStorageEvaluator)` Sets the `SessionStorageEvaluator` that will determine if a `Subject`'s state may be persisted in the Subject's session.

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Constructor Detail

DefaultSubjectDAO

public DefaultSubjectDAO()

Method Detail

isSessionStorageEnabled

protected boolean isSessionStorageEnabled(Subject subject)

Determines if the subject's session will be used to persist subject state or not. This implementation merely delegates to the internal SessionStorageEvaluator (a DefaultSessionStorageEvaluator by default).

Parameters:: subject - the subject to inspect to determine if the subject's session will be used to persist subject state or not.
Returns:: true if the subject's session will be used to persist subject state, false otherwise.
See Also:: setSessionStorageEvaluator(SessionStorageEvaluator), DefaultSessionStorageEvaluator

getSessionStorageEvaluator

public SessionStorageEvaluator getSessionStorageEvaluator()

Returns the SessionStorageEvaluator that will determine if a Subject's state may be persisted in the Subject's session. The default instance is a DefaultSessionStorageEvaluator.

Returns:: the SessionStorageEvaluator that will determine if a Subject's state may be persisted in the Subject's session.
See Also:: DefaultSessionStorageEvaluator

setSessionStorageEvaluator

public void setSessionStorageEvaluator(SessionStorageEvaluator sessionStorageEvaluator)

Sets the SessionStorageEvaluator that will determine if a Subject's state may be persisted in the Subject's session. The default instance is a DefaultSessionStorageEvaluator.

Parameters:: sessionStorageEvaluator - the SessionStorageEvaluator that will determine if a Subject's state may be persisted in the Subject's session.
See Also:: DefaultSessionStorageEvaluator

save

public Subject save(Subject subject)

Saves the subject's state to the subject's session only if sessionStorageEnabled(subject). If session storage is not enabled for the specific Subject, this method does nothing.

In either case, the argument Subject is returned directly (a new Subject instance is not created).

Specified by:: save in interface SubjectDAO

Parameters:: subject - the Subject instance for which its state will be created or updated.
Returns:: the same Subject passed in (a new Subject instance is not created).

saveToSession

protected void saveToSession(Subject subject)

Saves the subject's state (it's principals and authentication state) to its session. The session can be retrieved at a later time (typically from a SessionManager to be used to recreate the Subject instance.

Parameters:: subject - the subject for which state will be persisted to its session.

mergePrincipals

protected void mergePrincipals(Subject subject)

Merges the Subject's current Subject.getPrincipals() with whatever may be in any available session. Only updates the Subject's session if the session does not match the current principals state.

Parameters:: subject - the Subject for which principals will potentially be merged into the Subject's session.

mergeAuthenticationState

protected void mergeAuthenticationState(Subject subject)

Merges the Subject's current authentication state with whatever may be in any available session. Only updates the Subject's session if the session does not match the current authentication state.

Parameters:: subject - the Subject for which principals will potentially be merged into the Subject's session.

removeFromSession

protected void removeFromSession(Subject subject)

Removes any existing subject state from the Subject's session (if the session exists). If the session does not exist, this method does not do anything.

Parameters:: subject - the subject for which any existing subject state will be removed from its session.

delete

public void delete(Subject subject)

Removes any existing subject state from the subject's session (if the session exists).

Specified by:: delete in interface SubjectDAO

Parameters:: subject - the Subject instance for which any persistent state should be deleted.