org.apache.shiro.session.mgt
Class DefaultSessionContext
java.lang.Object
org.apache.shiro.util.MapContext
org.apache.shiro.session.mgt.DefaultSessionContext
- All Implemented Interfaces:
- Serializable, Map<String,Object>, SessionContext
public class DefaultSessionContext
- extends MapContext
- implements SessionContext
Default implementation of the SessionContext interface which provides getters and setters that
wrap interaction with the underlying backing context map.
- Since:
- 1.0
- See Also:
- Serialized Form
| Nested classes/interfaces inherited from interface java.util.Map |
Map.Entry<K,V> |
| Methods inherited from class org.apache.shiro.util.MapContext |
clear, containsKey, containsValue, entrySet, get, getTypedValue, isEmpty, keySet, nullSafePut, put, putAll, remove, size, values |
| Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
| Methods inherited from interface java.util.Map |
clear, containsKey, containsValue, entrySet, equals, get, hashCode, isEmpty, keySet, put, putAll, remove, size, values |
DefaultSessionContext
public DefaultSessionContext()
DefaultSessionContext
public DefaultSessionContext(Map<String,Object> map)
getHost
public String getHost()
- Description copied from interface:
SessionContext
- Returns the originating host name or IP address (as a String) from where the
Subject is initiating the
Session.
See the setHost(String) JavaDoc for more about security policies based on the
Session host.
- Specified by:
getHost in interface SessionContext
- Returns:
- the originating host name or IP address (as a String) from where the
Subject is initiating the
Session. - See Also:
setHost(String)
setHost
public void setHost(String host)
- Description copied from interface:
SessionContext
- Sets the originating host name or IP address (as a String) from where the
Subject is initiating the
Session.
In web-based systems, this host can be inferred from the incoming request, e.g.
javax.servlet.ServletRequest#getRemoteAddr() or javax.servlet.ServletRequest#getRemoteHost()
methods, or in socket-based systems, it can be obtained via inspecting the socket
initiator's host IP.
Most secure environments should specify a valid, non-null host, since knowing the
host allows for more flexibility when securing a system: by requiring an host, access control policies
can also ensure access is restricted to specific client locations in addition to Subject
principals, if so desired.
Caveat - if clients to your system are on a
public network (as would be the case for a public web site), odds are high the clients can be
behind a NAT (Network Address Translation) router or HTTP proxy server. If so, all clients
accessing your system behind that router or proxy will have the same originating host.
If your system is configured to allow only one session per host, then the next request from a
different NAT or proxy client will fail and access will be denied for that client. Just be
aware that host-based security policies are best utilized in LAN or private WAN environments
when you can be ensure clients will not share IPs or be behind such NAT routers or
proxy servers.
- Specified by:
setHost in interface SessionContext
- Parameters:
host - the originating host name or IP address (as a String) from where the Subject is
initiating the Session.
getSessionId
public Serializable getSessionId()
- Specified by:
getSessionId in interface SessionContext
setSessionId
public void setSessionId(Serializable sessionId)
- Specified by:
setSessionId in interface SessionContext
Copyright © 2004-2012 The Apache Software Foundation. All Rights Reserved.