Coverage Report - org.apache.shiro.web.mgt.DefaultWebSessionStorageEvaluator
 
Classes in this File Line Coverage Branch Coverage Complexity
DefaultWebSessionStorageEvaluator
100%
10/10
90%
9/10
5
 
 1  
 /*
 2  
  * Licensed to the Apache Software Foundation (ASF) under one
 3  
  * or more contributor license agreements.  See the NOTICE file
 4  
  * distributed with this work for additional information
 5  
  * regarding copyright ownership.  The ASF licenses this file
 6  
  * to you under the Apache License, Version 2.0 (the
 7  
  * "License"); you may not use this file except in compliance
 8  
  * with the License.  You may obtain a copy of the License at
 9  
  *
 10  
  *     http://www.apache.org/licenses/LICENSE-2.0
 11  
  *
 12  
  * Unless required by applicable law or agreed to in writing,
 13  
  * software distributed under the License is distributed on an
 14  
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 15  
  * KIND, either express or implied.  See the License for the
 16  
  * specific language governing permissions and limitations
 17  
  * under the License.
 18  
  */
 19  
 package org.apache.shiro.web.mgt;
 20  
 
 21  
 import org.apache.shiro.mgt.DefaultSessionStorageEvaluator;
 22  
 import org.apache.shiro.session.mgt.NativeSessionManager;
 23  
 import org.apache.shiro.session.mgt.SessionManager;
 24  
 import org.apache.shiro.subject.Subject;
 25  
 import org.apache.shiro.web.subject.WebSubject;
 26  
 import org.apache.shiro.web.util.WebUtils;
 27  
 
 28  
 /**
 29  
  * A web-specific {@code SessionStorageEvaluator} that performs the same logic as the parent class
 30  
  * {@link DefaultSessionStorageEvaluator} but additionally checks for a request-specific flag that may enable or
 31  
  * disable session access.
 32  
  * <p/>
 33  
  * This implementation usually works in conjunction with the
 34  
  * {@link org.apache.shiro.web.filter.session.NoSessionCreationFilter}:  If the {@code NoSessionCreationFilter}
 35  
  * is configured in a filter chain, that filter will set a specific
 36  
  * {@code ServletRequest} {@link javax.servlet.ServletRequest#setAttribute attribute} indicating that session creation
 37  
  * should be disabled.
 38  
  * <p/>
 39  
  * This {@code DefaultWebSessionStorageEvaluator} will then inspect this attribute, and if it has been set, will return
 40  
  * {@code false} from {@link #isSessionStorageEnabled(org.apache.shiro.subject.Subject)} method, thereby preventing
 41  
  * Shiro from creating a session for the purpose of storing subject state.
 42  
  * <p/>
 43  
  * If the request attribute has
 44  
  * not been set (i.e. the {@code NoSessionCreationFilter} is not configured or has been disabled), this class does
 45  
  * nothing and delegates to the parent class for existing behavior.
 46  
  *
 47  
  * @since 1.2
 48  
  */
 49  20
 public class DefaultWebSessionStorageEvaluator extends DefaultSessionStorageEvaluator {
 50  
 
 51  
     //since 1.2.1
 52  
     private SessionManager sessionManager;
 53  
 
 54  
     /**
 55  
      * Sets the session manager to use when checking to see if session storage is possible.
 56  
      * @param sessionManager the session manager instance for checking.
 57  
      * @since 1.2.1
 58  
      */
 59  
     //package protected on purpose to maintain point-version compatibility: (1.2.3 -> 1.2.1 should work always).
 60  
     void setSessionManager(SessionManager sessionManager) {
 61  22
         this.sessionManager = sessionManager;
 62  22
     }
 63  
 
 64  
     /**
 65  
      * Returns {@code true} if session storage is generally available (as determined by the super class's global
 66  
      * configuration property {@link #isSessionStorageEnabled()} and no request-specific override has turned off
 67  
      * session storage, {@code false} otherwise.
 68  
      * <p/>
 69  
      * This means session storage is disabled if the {@link #isSessionStorageEnabled()} property is {@code false} or if
 70  
      * a request attribute is discovered that turns off session storage for the current request.
 71  
      *
 72  
      * @param subject the {@code Subject} for which session state persistence may be enabled
 73  
      * @return {@code true} if session storage is generally available (as determined by the super class's global
 74  
      *         configuration property {@link #isSessionStorageEnabled()} and no request-specific override has turned off
 75  
      *         session storage, {@code false} otherwise.
 76  
      */
 77  
     @SuppressWarnings({"SimplifiableIfStatement"})
 78  
     @Override
 79  
     public boolean isSessionStorageEnabled(Subject subject) {
 80  13
         if (subject.getSession(false) != null) {
 81  
             //use what already exists
 82  2
             return true;
 83  
         }
 84  
 
 85  11
         if (!isSessionStorageEnabled()) {
 86  
             //honor global setting:
 87  1
             return false;
 88  
         }
 89  
 
 90  
         //SHIRO-350: non-web subject instances can't be saved to web-only session managers:
 91  
         //since 1.2.1:
 92  10
         if (!(subject instanceof WebSubject) && (this.sessionManager != null && !(this.sessionManager instanceof NativeSessionManager))) {
 93  1
             return false;
 94  
         }
 95  
 
 96  9
         return WebUtils._isSessionCreationEnabled(subject);
 97  
     }
 98  
 
 99  
 
 100  
 }