Classes in this File | Line Coverage | Branch Coverage | Complexity | ||||
DefaultWebSessionStorageEvaluator |
|
| 5.0;5 |
1 | /* | |
2 | * Licensed to the Apache Software Foundation (ASF) under one | |
3 | * or more contributor license agreements. See the NOTICE file | |
4 | * distributed with this work for additional information | |
5 | * regarding copyright ownership. The ASF licenses this file | |
6 | * to you under the Apache License, Version 2.0 (the | |
7 | * "License"); you may not use this file except in compliance | |
8 | * with the License. You may obtain a copy of the License at | |
9 | * | |
10 | * http://www.apache.org/licenses/LICENSE-2.0 | |
11 | * | |
12 | * Unless required by applicable law or agreed to in writing, | |
13 | * software distributed under the License is distributed on an | |
14 | * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | |
15 | * KIND, either express or implied. See the License for the | |
16 | * specific language governing permissions and limitations | |
17 | * under the License. | |
18 | */ | |
19 | package org.apache.shiro.web.mgt; | |
20 | ||
21 | import org.apache.shiro.mgt.DefaultSessionStorageEvaluator; | |
22 | import org.apache.shiro.session.mgt.NativeSessionManager; | |
23 | import org.apache.shiro.session.mgt.SessionManager; | |
24 | import org.apache.shiro.subject.Subject; | |
25 | import org.apache.shiro.web.subject.WebSubject; | |
26 | import org.apache.shiro.web.util.WebUtils; | |
27 | ||
28 | /** | |
29 | * A web-specific {@code SessionStorageEvaluator} that performs the same logic as the parent class | |
30 | * {@link DefaultSessionStorageEvaluator} but additionally checks for a request-specific flag that may enable or | |
31 | * disable session access. | |
32 | * <p/> | |
33 | * This implementation usually works in conjunction with the | |
34 | * {@link org.apache.shiro.web.filter.session.NoSessionCreationFilter}: If the {@code NoSessionCreationFilter} | |
35 | * is configured in a filter chain, that filter will set a specific | |
36 | * {@code ServletRequest} {@link javax.servlet.ServletRequest#setAttribute attribute} indicating that session creation | |
37 | * should be disabled. | |
38 | * <p/> | |
39 | * This {@code DefaultWebSessionStorageEvaluator} will then inspect this attribute, and if it has been set, will return | |
40 | * {@code false} from {@link #isSessionStorageEnabled(org.apache.shiro.subject.Subject)} method, thereby preventing | |
41 | * Shiro from creating a session for the purpose of storing subject state. | |
42 | * <p/> | |
43 | * If the request attribute has | |
44 | * not been set (i.e. the {@code NoSessionCreationFilter} is not configured or has been disabled), this class does | |
45 | * nothing and delegates to the parent class for existing behavior. | |
46 | * | |
47 | * @since 1.2 | |
48 | */ | |
49 | 20 | public class DefaultWebSessionStorageEvaluator extends DefaultSessionStorageEvaluator { |
50 | ||
51 | //since 1.2.1 | |
52 | private SessionManager sessionManager; | |
53 | ||
54 | /** | |
55 | * Sets the session manager to use when checking to see if session storage is possible. | |
56 | * @param sessionManager the session manager instance for checking. | |
57 | * @since 1.2.1 | |
58 | */ | |
59 | //package protected on purpose to maintain point-version compatibility: (1.2.3 -> 1.2.1 should work always). | |
60 | void setSessionManager(SessionManager sessionManager) { | |
61 | 22 | this.sessionManager = sessionManager; |
62 | 22 | } |
63 | ||
64 | /** | |
65 | * Returns {@code true} if session storage is generally available (as determined by the super class's global | |
66 | * configuration property {@link #isSessionStorageEnabled()} and no request-specific override has turned off | |
67 | * session storage, {@code false} otherwise. | |
68 | * <p/> | |
69 | * This means session storage is disabled if the {@link #isSessionStorageEnabled()} property is {@code false} or if | |
70 | * a request attribute is discovered that turns off session storage for the current request. | |
71 | * | |
72 | * @param subject the {@code Subject} for which session state persistence may be enabled | |
73 | * @return {@code true} if session storage is generally available (as determined by the super class's global | |
74 | * configuration property {@link #isSessionStorageEnabled()} and no request-specific override has turned off | |
75 | * session storage, {@code false} otherwise. | |
76 | */ | |
77 | @SuppressWarnings({"SimplifiableIfStatement"}) | |
78 | @Override | |
79 | public boolean isSessionStorageEnabled(Subject subject) { | |
80 | 13 | if (subject.getSession(false) != null) { |
81 | //use what already exists | |
82 | 2 | return true; |
83 | } | |
84 | ||
85 | 11 | if (!isSessionStorageEnabled()) { |
86 | //honor global setting: | |
87 | 1 | return false; |
88 | } | |
89 | ||
90 | //SHIRO-350: non-web subject instances can't be saved to web-only session managers: | |
91 | //since 1.2.1: | |
92 | 10 | if (!(subject instanceof WebSubject) && (this.sessionManager != null && !(this.sessionManager instanceof NativeSessionManager))) { |
93 | 1 | return false; |
94 | } | |
95 | ||
96 | 9 | return WebUtils._isSessionCreationEnabled(subject); |
97 | } | |
98 | ||
99 | ||
100 | } |