AuthenticationStrategy
implementations.Authenticator implementations that performs the common work around authentication
attempts.CacheManager implementation that retains all created Cache instances in
an in-memory ConcurrentMap.ConcurrentMap.access to init parameters.SimpleHash implementation directly.source with no salt using a single hash iteration.source using the given salt using a single hash iteration.source using the given salt a total of
hashIterations times.Realm that authenticates with an LDAP
server to build the Subject for a user.NativeSessionManager interface, supporting
SessionListeners and application of the
globalSessionTimeout.RememberMeManager interface that handles
serialization and
encryption of the remembered user identity.DefaultSerializer as the serializer and
an AesCipherService as the cipherService.SessionDAO implementation that performs some sanity checks on session creation and reading and
allows for pluggable Session ID generation strategies if desired.sessionIdGenerator to be a
JavaUuidSessionIdGenerator.SessionManager interface, enabling configuration of an
application-wide globalSessionTimeout.ValidatingSessionManager interface.AuthenticationInfo and
AuthorizationInfo and represents authentication and authorization for a single account in a
single Realm.shiro-activeSessionCache.Realm that authenticates with an active directory LDAP
server to determine the roles for a particular user.creating filter chains.creating filter chains.chainName.chainName.preHandle,
postHandle,
and afterCompletion
hooks.CipherService using the AES cipher algorithm for all encryption, decryption, and key operations.CipherService instance using the AES cipher algorithm with the following
important cipher default attributes:
Attribute
Value
keySize
128 bits
blockSize
128 bits (required for AES
mode
CBC*
paddingScheme
PKCS5
initializationVectorSize
128 bits
generateInitializationVectors
true**
* The CBC operation mode is used instead of the JDK default ECB to
ensure strong encryption.aggregate argument without modification.aggregate method argument is not null and
aggregate.getPrincipals()
is not null, and if either is null, throws an AuthenticationException to indicate
that none of the realms authenticated successfully.singleRealmInfo into the
aggregateInfo and then returns the aggregate.info into the aggregate argument and returns it (just as the
parent implementation does), but additionally ensures the following:
if the Throwable argument is not null, re-throws it to immediately cancel the
authentication process, since this strategy requires all realms to authenticate successfully.
neither the info or aggregate argument is null to ensure that each
realm did in fact authenticate successfully
CacheManager has been set and is available for use via the
getCacheManager() method.applyCacheManagerToRealms() to allow the
newly set CacheManager to be propagated to the internal collection of Realm
that would need to use it.super.afterCacheManagerSet() and then immediately calls
applyCacheManagerToSessionManager() to ensure the
CacheManager is applied to the SessionManager as necessary.CacheManager instance being set on the realm instance via the
CachingRealm.setCacheManager(org.apache.shiro.cache.CacheManager) mutator.finally block even if preHandle returns
false or if an exception is thrown during filter chain processing.realms to the internal delegate Authenticator instance so
that it may use them during authentication attempts.super.afterRealmsSet() and then sets these same Realm objects on this
instance's wrapped Authorizer.true when matching credentials no matter what arguments
are passed in.implies method always returns true.AnnotationHandler who processes annotations of the
specified type.AnnotationMethodInterceptor with the
AnnotationHandler that will be used to process annotations of a
corresponding type.AnnotationMethodInterceptor with the
AnnotationHandler that will be used to process annotations of a
corresponding type, using the specified AnnotationResolver to acquire annotations
at runtime.methodInterceptors attribute to contain two interceptors by default - the
RoleAnnotationMethodInterceptor and the
PermissionAnnotationMethodInterceptor to
support role and permission annotations.CacheManager on any internal configured
Realms that implement the CacheManagerAware interface.SessionManager is injected with the newly set
CacheManager so it may use it for its internal caching needs.ModularRealmAuthorizer.getPermissionResolver() on any internal configured
Realms that implement the PermissionResolverAware interface.ModularRealmAuthorizer.getRolePermissionResolver() on any internal configured
Realms that implement the RolePermissionResolverAware interface.JoinPoint into a MethodInvocation amd to perform the
authorization of method invocations.methodInterceptors collection, and for each one,
ensures that if the interceptor
supports
the invocation, that the interceptor
asserts
that the invocation is authorized to proceed.Subject is authenticated, and if not, throws an
UnauthenticatedException indicating the method is not allowed to be executed.MethodInvocation.Subject is NOT a user, that is, they do not
have an identity before continuing.Subject has the Annotation's specified permissions, and if not, throws an
AuthorizingException indicating access is denied.Subject has the Annotation's specified roles, and if not, throws an
AuthorizingException indicating that access is denied.Subject is a user, that is, they are either
authenticated or remembered via remember
me services before allowing access, and if not, throws an
AuthorizingException indicating access is not allowed.AuthenticationToken's credentials match the stored account
AuthenticationInfo's credentials, and if not, throws an AuthenticationException.Authorizer implementation methods to ensure that the realms
has been set.Callable instance matching the given argument while additionally ensuring that it will
retain and execute under this Subject's identity.Runnable instance matching the given argument while additionally ensuring that it will
retain and execute under this Subject's identity.Runnable with the currently executing subject
and then return the associated Runnable.Authenticator interface that functions in the following manner:
Calls template doAuthenticate method for subclass execution of the actual
authentication behavior.
If an AuthenticationException is thrown during doAuthenticate,
notify any registered
AuthenticationListeners of the exception and then propogate the exception
for the caller to handle.
If no exception is thrown (indicating a successful login),
notify any registered
AuthenticationListeners of the successful attempt.
Return the AuthenticationInfo
AuthenticationToken.Authenticator for authentication.WWW-AuthenticateSubject being built will be considered
authenticated.RequiresAuthentication annotations and ensures the calling subject is
authenticated before allowing access.RequiresAuthentication annotations.RequiresAuthenticated annotation
is declared, and if so, ensures the calling
Subject.isAuthenticated() before invoking
the method.RequiresAuthentication annotations in a method
declaration.AuthenticationFilter that is capable of automatically performing an authentication attempt
based on the incoming request.SecurityManager class hierarchy that delegates all
authentication operations to a wrapped Authenticator instance.authenticator instance to a
ModularRealmAuthenticator.AuthenticationInfo represents a Subject's (aka user's) stored account information relevant to the
authentication/log-in process only.AuthenticationListener listens for notifications while Subjects authenticate with the system.AuthenticationStrategy implementation assists the ModularRealmAuthenticator during the
log-in process in a pluggable realm (PAM) environment.AuthorizationAuthorizationInfo represents a single Subject's stored authorization data (roles, permissions, etc)
used during authorization (access control) checks only.AuthorizingAnnotationHandler who processes annotations of the
specified type.handler is set which will be used to perform the
authorization assertion checks when a supported annotation is encountered.AuthorizingRealm extends the AuthenticatingRealm's capabilities by adding Authorization
(access control) support.SecurityManager class hierarchy that delegates all
authorization (access control) operations to a wrapped Authorizer instance.ModularRealmAuthorizer.HashFormat that outputs only the hash's digest bytes in Base64 format.authenticated for the
request to continue, and if they're not, requires the user to login via the HTTP Basic protocol-specific challenge.JoinPoint.BeforeAdviceMethodInvocationAdapter instance.new SimpleAuthenticationInfo();, which supports
aggregating account data across realms.token - called before any Realm is actually invoked.null immediately, relying on this class's merge implementation to return
only the first info object it encounters, ignoring all subsequent ones.aggregate method argument, without modification.Realm supports the given
token argument.SessionListeners for notification
that the session has been invalidated (stopped or expired).save(subject).Subject and SecurityManager to the
ThreadContext so they can be retrieved later by any
SecurityUtils.getSubject() calls that might occur
during the thread's execution.CipherService using the Blowfish cipher algorithm for all encryption, decryption, and key operations.CipherService instance using the Blowfish cipher algorithm with the following
important cipher default attributes:
Attribute
Value
keySize
128 bits
blockSize
64 bits (required for Blowfish)
mode
CBC*
paddingScheme
PKCS5
initializationVectorSize
64 bits
generateInitializationVectors
true**
* The CBC operation mode is used instead of the JDK default ECB to
ensure strong encryption.HashRequest instance reflecting the specified configuration.WildcardPermission conventions.Subject instance reflecting the cumulative state acquired by the
other methods in this class.super.buildSubject(), but additionally ensures that the returned instance
is an instanceof WebSubject and to support a type-safe method so a caller
does not have to cast.ByteSource instance representing the specified byte array.ByteSource instance representing the specified character array's bytes.ByteSource instance representing the specified string's bytes.ByteSource instance representing the specified ByteSource.ByteSource instance representing the specified File's bytes.ByteSource instance representing the specified InputStream's bytes.ByteSource instance representing the specified byte source argument.ByteSource wraps a byte array and provides additional encoding operations.sessionId.sessionId.CacheException.CacheException.CacheException.CacheException.Cache instances.Realm interface that provides caching support for subclasses.cachingEnabled (for general caching) to true and sets a
default name based on the class name.Subject implementation to be used in CAS-enabled applications.Permission.implies(Permission) implies} the specified Permission.isPermitted(permission), throws
an UnauthorizedException otherwise returns quietly.isPermitted(permission), throws
an UnauthorizedException otherwise returns quietly.implies the specified Permission.implies all of the
specified permission strings.implies all of the
specified permission strings.isPermitted(permission),
throws an UnauthorizedException otherwise returns quietly.isPermitted(permission) for
all the given Permissions, throws
an UnauthorizedException otherwise returns quietly.implies all of the
specified permission strings.implies all of the
specified permission strings.AuthorizationException if they do not.hasRole(role), throws
an UnauthorizedException otherwise returns quietly.AuthorizationException if they do not.AuthorizationException if they do not.checkRoles(PrincipalCollection subjectPrincipal, Collection<String> roleIdentifiers) but doesn't require a collection
as an argument.checkRole for each role specified.AuthorizationException if they do not.checkRoles(Collection roleIdentifiers) but
doesn't require a collection as a an argument.InvalidSessionException indicating that the session id is invalid.CipherService uses a cryptographic algorithm called a
Cipher to convert an original input source using a key to
an uninterpretable format.classpath:Classes, such as acquiring them from the
application ClassLoaders and instantiating Objects from them.AccessControlFilter.onAccessDenied(javax.servlet.ServletRequest, javax.servlet.ServletResponse, java.lang.Object) and swallow the exception if the exception is
UnauthenticatedException.finally code block in the
doFilterInternal
implementation.removes the ThreadContext state.ThreadContext state.InputStream, logging any
IOException that might occur.CodecException.CodecException.CodecException.CodecException.WebEnvironment instance:
shiroConfigLocationsHashService that allows configuration of its strategy via JavaBeans-compatible setter methods.Map used to construct the
Subject instance.WebEnvironment instance created by
the EnvironmentLoaderListener.contextInitialized(javax.servlet.ServletContextEvent) method.WebEnvironment and binds it to the ServletContext at application
startup for future reference.org.aopalliance.intercept.MethodInvocation and then
calls methodInvocation.proceed()cipherService is available, it will be used to first decrypt the byte array.Ini instance.salt argument's bytes and returns them in the form of a ByteSource instance.source argument's bytes and returns them in the form of a ByteSource instance.principals to a Cookie
for later retrieval.CookieRememberMeManager with a default rememberMe cookie template.AbstractSessionDAO.doCreate(org.apache.shiro.session.Session) method, and then
asserting that the returned sessionId is not null.super.create(session), then caches the session keyed by the returned sessionId, and then
returns this sessionId.AuthenticationInfo resulting from a Subject's successful LDAP authentication attempt.Cache instance associated with the specified name.MapCache instance backed by a SoftHashMap.chainName with the specified chainDefinition
String.new DefaultWebSecurityManager(); to ensure a web-capable
SecurityManager is available by default.WebEnvironment based on the specified ServletContext.BeforeAdviceMethodInvocationAdapter instance
using the AspectJ JoinPoint provided.Ini instance reflecting the specified path, or null if the path does not exist and
is not required.securityManager
property has been set
Creates a FilterChainManager instance that reflects the
configured filters and
filter chain definitions
Wraps the FilterChainManager with a suitable
FilterChainResolver since the Shiro Filter
implementations do not know of FilterChainManagers
Sets both the SecurityManager and FilterChainResolver instances on a new Shiro Filter
instance and returns that filter instance.
InitialLdapContext instance.InitialLdapContext instance.MethodInvocation that wraps an
org.aopalliance.intercept.MethodInvocation instance,
enabling Shiro Annotations in AOP Alliance environments
(Spring, etc).Realm from the Ini instance containing account data.RemoteInvocation with the current session ID as an
attribute.Session Session instance based on the specified (possibly null)
initialization data.Session instance based on the specified contextual initialization data.SimpleSession instance retaining the context's
host if one can be found.Subject instance for the user represented by the given method arguments.SubjectContext is as populated as it can be, using heuristics to acquire
data that may not have already been available to it (such as a referenced session or remembered principals).
Calls DefaultSecurityManager.doCreateSubject(org.apache.shiro.subject.SubjectContext) to actually perform the
Subject instance creation.
calls save(subject) to ensure the constructed
Subject's state is accessible for future requests/invocations if necessary.
returns the constructed Subject instance.
Subject instance reflecting the specified contextual data.WebSubject instance to associate with the incoming request/response pair which will be used
throughout the request/response execution.InputStream, decrypts it, and sends the resulting decrypted data
to the given OutputStream.cipherService.request.getCharacterEncoding
returns null, according to the Servlet spec.','30 minutes./login.jsp, which can be overridden by calling the
setLoginUrl method.-1, indicating the cookie should expire when the browser closes.rememberMe.JdbcRealm.saltStyle is COLUMN.SecurityManager instance may be acquired, equal to
securityManager.AbstractValidatingSessionManager.setSessionValidationInterval(long)QuartzSessionValidationScheduler.setSessionValidationInterval(long)-1 indicating that no version property should be set on the cookie.AnnotationResolver implementation that merely inspects the
MethodInvocation's target method,
and returns targetMethod.getAnnotation(class).DefaultBlockCipherService using the specified block cipher algorithmName.Environment implementation that stores Shiro objects as key-value pairs in a
Map instance.ConcurrentHashMap backing map.FilterChainManager implementation maintaining a map of Filter instances
(key: filter name, value: Filter) as well as a map of NamedFilterLists created from these
Filters (key: filter chain name, value: NamedFilterList).HashFormatFactory implementation heuristically determines a HashFormat class to
instantiate based on the input argument and returns a new instance of the discovered class.HashService interface, supporting a customizable hash algorithm name,
secure-random salt generation, multiple hash iterations and an optional internal
privateSalt.DefaultHashService instance with the following defaults:
hashAlgorithmName = SHA-512
hashIterations = 1
randomNumberGenerator =
new SecureRandomNumberGenerator()
generatePublicSalt = false
If this hashService will be used for password hashing it is recommended to set the
privateSalt and significantly increase the number of
hashIterations.JndiLdapContextFactory implementation. This implementation will be removed
prior to Shiro 2.0PasswordService interface that relies on an internal
HashService, HashFormat, and HashFormatFactory to function:SecurityManager interface,
based around a collection of Realms.realms.SessionContext interface which provides getters and setters that
wrap interaction with the underlying backing context map.SessionKey interface, which allows setting and retrieval of a concrete
sessionId that the SessionManager implementation can use to look up a
Session instance.ValidatingSessionManager.SessionStorageEvaluator that provides reasonable control over if and how Sessions may be used for
storing Subject state.SubjectContext interface.SubjectDAO implementation that stores Subject state in the Subject's Session by default (but this
can be disabled - see below).SubjectFactory implementation that creates DelegatingSubject
instances.WebEnvironment implementation based on a backing Map instance.WebSecurityManager implementation used in web-based applications or any
application that requires HTTP connectivity (SOAP, http remoting, etc).WebSessionContext interface which provides getters and setters that
wrap interaction with the underlying backing context map.SessionManager implementation.SessionStorageEvaluator that performs the same logic as the parent class
DefaultSessionStorageEvaluator but additionally checks for a request-specific flag that may enable or
disable session access.WebSubjectContext implementation that provides for additional storage and retrieval of
a ServletRequest and ServletResponse.SubjectFactory implementation that creates WebDelegatingSubject instances.Session.Subject interface that delegates
method calls to an underlying SecurityManager instance for security checks.DefaultSecurityManager.logout(org.apache.shiro.subject.Subject)..Subject instance.CachingSessionDAO.doDelete(org.apache.shiro.session.Session).session.ObjectInputStream using a source
ByteArrayInputStream constructed with the argument byte array.serialized source back into an Object by using a
ByteArrayInputStream to wrap the argument and then decode this
stream via an XMLDecoder, where the
readObject call results in the original Object to return.serializer's
deserialize method.Destroyable.cacheManager via LifecycleUtils.destroy.destroy for each object in the collection.WebEnvironment for the given servlet context.IniWebEnvironment or a custom class if specified.Subject
session, but that Subject's sessions are disabled.Realms.AuthenticatingRealm.clearCachedAuthenticationInfo(org.apache.shiro.subject.PrincipalCollection).super.doClearCache to ensure any cached authentication data is removed and then calls
AuthorizingRealm.clearCachedAuthorizationInfo(org.apache.shiro.subject.PrincipalCollection) to remove any cached
authorization data.Subject instance by delegating to the internal
subjectFactory.true always no matter what the method arguments are.true if the provided token credentials match the stored account credentials,
false otherwise.token's credentials, potentially using a
salt if the info argument is a
SaltedAuthenticationInfo.token's credentials
(via getCredentials(token))
and then the account's credentials
(via getCredentials(account)) and then passes both of
them to the equals(tokenCredentials, accountCredentials) method for equality
comparison.doFilter implementation stores a request attribute for
"already filtered", proceeding without filtering again if the
attribute is already there.doFilterInternal implementation that sets-up, executes, and cleans-up a Shiro-filtered request.OncePerRequestFilter.doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain),
but guaranteed to be invoked only once per request.JndiLdapRealm.queryForAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken, LdapContextFactory),
wrapping any NamingExceptions in a Shiro AuthenticationException to satisfy the parent method
signature.namepath against the given pattern.AuthenticationStrategy object
as each realm is consulted for AuthenticationInfo for the specified token.null if a
session with that ID could not be found.Session's state to the underlying EIS.Cache implementation that wraps an Ehcache instance.CacheManager implementation utilizing the Ehcache framework for all cache functionality.ScheduledExecutorService to validate sessions at fixed intervals
and enables this scheduler.QuartzSessionValidationJob, and scheduling it with the Quartz scheduler.H64-encoded String.InputStream, encrypts it, and sends the resulting encrypted data to the
given OutputStream.cipherService.SecurityManager instance in the context, and if not, adds 'this' to the
context.Environment instance encapsulates all of the objects that Shiro requires to function.WebEnvironment implementation class to use:
shiroEnvironmentClassEnvironment instances or configuration.EnvironmentLoader is responsible for loading a web application's Shiro WebEnvironment
(which includes the web app's WebSecurityManager) into the
ServletContext at application startup.WebEnvironment at ServletContext startup and shutdown respectively.true if the tokenCredentials argument is logically equal to the
accountCredentials argument.true if the specified object is also a SimpleAccount and its
principals are equal to this object's principals, false otherwise.true if the Object argument is an instanceof SimpleAuthenticationInfo and
its principals are equal to this instance's principals, false otherwise.true if the specified object is a Hash and its byte array is identical to
this Hash's byte array, false otherwise.true if the specified object is a Hash and its byte array is identical to
this Hash's byte array, false otherwise.Subject and then
dispatches the associated Runnable to the underlying target Executor instance.Callable with this Subject instance and then executes it on the
currently running thread.Runnable with this Subject instance and then executes it on the
currently running thread.FilterChain for the given request.chain.doFilter(request,response);.Subject executes a
Callable.ScheduledExecutorService to call ValidatingSessionManager.validateSessions() every
interval milliseconds.file:AuthenticationStrategy implementation that only accepts the account data from
the first successfully consulted Realm and ignores all subsequent realms.Subject instance.WebSubject's request/response pair.WebSubjectContext's request/response pair.hash != null ? hash.toBase64() : null.hash != null ? hash.toHex() : null.loginUrl you configure.context class loader, then the
current ClassLoader (ClassUtils.class.getClassLoader()), then the system/application
ClassLoader (ClassLoader.getSystemClassLoader(), in that order.Ini instance loaded with the INI-formatted data in the resource at the given path.Random's nextLong() invocation.Session instance.Key suitable for this CipherService's algorithm
by calling generateNewKey(128) (uses a 128 bit size by default).Key of the specified size suitable for this CipherService
(based on the algorithmName using the JDK KeyGenerator.session instance.key or
null if there is no Cache entry for that key.key that is bound to
the current thread.GET.CacheManager.MessageDigest algorithm name
to use when performing the hash.SHA-256, MD5, etc.HashService should use when computing the Hash, or
null if the default algorithm configuration of the HashService should be used.MessageDigest algorithm name to use when performing the hash.Annotation instance of the specified type based on the given
MethodInvocation argument, or null if no annotation
of that type could be found.value, from which the Permission will be constructed.WWW-Authenticate header.WWW-Authenticate header scheme that this filter will use when sending
the HTTP Basic challenge response.Cache instance to use for authentication caching, or null if no cache has been
set.AuthenticationInfo instances are cached if authentication caching is enabled.AuthenticationInfo instances are cached if authentication caching is enabled.Cache to lookup from any available cacheManager if
a cache is not explicitly configured via AuthenticatingRealm.setAuthenticationCache(org.apache.shiro.cache.Cache).AuthenticationInfo corresponding to the specified
AuthenticationToken argument.AuthenticationListeners that should be notified during authentication
attempts.AuthenticationStrategy utilized by this modular authenticator during a multi-realm
log-in attempt.Authenticator instance that this SecurityManager uses to perform all
authentication operations.principals,
or null if no account could be found.AUTHORIZATION_HEADER from the specified ServletRequest.Authorization header value that this filter will respond to as indicating
a login request.name.name.sessionId or null if there is
no session cached under that id (or if there is no Cache).CacheManager instance.activeSessionsCache if
one is not configured.ResourceUtils.getInputStreamForPath with the
path returned from getCacheManagerConfigFile().chainName or null if there is no chain with
that name.null if the
original chain should be used.Set if no chains have been configured.CipherService to use for encrypting and decrypting serialized identity data to prevent easy
inspection of Subject identity data.StringUtils.clean(String).SecurityManager and
FilterChainResolver used by the web application or null if the
configPath should be used to load a fallback INI source.config attribute.RememberMeManager.account identity.Hash instance representing the already-hashed AuthenticationInfo credentials stored in the system.token's credentials.account's credentials.this.authcInfo.getCredentials.password char array.CredentialsMatcher used during an authentication attempt to verify submitted
credentials with those stored in the system.null if no salt was used.null if no salt
was used or credentials were not hashed at all.null if no salt was used or credentials were not
hashed at all./WEB-INF/shiro.ini and classpath:shiro.ini.nextBytes().-1 if
that number is unknown or cannot be calculated.null if none should be used.LdapContext).FilterChain to execute for the given request.FilterChainResolver if one has been configured or null if one
is not available.FilterConfig provided by the Servlet container at webapp startup.FilterConfig instance provided at
startup.Filters managed by this manager, keyed by name.hashFormatAlias-to-fullyQualifiedHashFormatClassNameImplementation map.AnnotationHandler used to perform authorization behavior based on
an annotation discovered at runtime.Hash algorithmName to use
when performing hashes for credentials matching.HashFormat implementation class name in the specified
package based on the provided token.AuthenticationToken's credentials will be hashed before
comparing to the credentials stored in the system.Subject is initiating the
Session.null
if the host is unknown.Subject's originating location.HttpServletRequest.Ini instance reflecting this WebEnvironment's configuration.init-param, or null if there was no init-param
specified by that name.CLASSPATH_PREFIX,
URL_PREFIX, or FILE_PREFIX).Hash result.Session last interacted with the system.DefaultLdapContextFactory.getLdapContext(Object, Object) method should be used in all cases to ensure more than
String principals and credentials can be used. Shiro no longer calls this method - it will be
removed before the 2.0 release.JndiLdapContextFactory.getLdapContext(Object, Object) method should be used in all cases to ensure more than
String principals and credentials can be used. Shiro no longer calls this method - it will be
removed before the 2.0 release.LdapContextFactory.getLdapContext(Object, Object) method should be used in all cases to ensure more than
String principals and credentials can be used.LdapContext connection bound using the specified principal and
credentials.AccessControlFilter or null if no value should be assigned globally.-1 if
that number is unknown or cannot be calculated.-1 if that
number is unknown or cannot be calculated.Method to be invoked.Realm.Filter list.null if
no object with that name was found.AbstractShiroFilter concrete instance via the
ShiroFilterFactoryBean.createInstance() method.Permissions assigned to the corresponding Subject.AbstractShiroFilter.classPatternMatcher used when determining if an incoming request's path
matches a configured filter chain.WebUtils.getPathWithinApplication(request)
and can be overridden by subclasses for custom request-to-application-path resolution behavior.request.null
Subject before assuming the current
runAs identity, or null if this Subject is not operating under an assumed
identity (normal state).Realm principals, or null if there are
no principals yet.getUsername().null if this
Subject is anonymous because it doesn't yet have any associated account data (for example,
if they haven't logged in).PrincipalCollection or
null if this Subject is anonymous because it doesn't yet have any associated account data (for example,
if they haven't logged in).Subject should reflect.authorizationHeader.encoded String obtained from
the request's authorization header.null if no public salt should be used.Authenticator during an authentication attempt.Authorizer which are consulted during an authorization check.Realms managed by this SecurityManager instance.JNDI name and returns all
discovered Realms in an ordered collection.Realm instances that will be used to construct
the application's SecurityManager instance.acquiring
the remembered serialized byte array.null if there is no available data.null if the byte array could not be acquired.WebEnvironment for this web application, which is typically loaded via the
EnvironmentLoaderListener.AnnotationResolver to use to acquire annotations from intercepted
methods at runtime.context class loader, then the
current ClassLoader (ClassUtils.class.getClassLoader()), then the system/application
ClassLoader (ClassLoader.getSystemClassLoader(), in that order, using
getResourceAsStream(name).null
this.authzInfo.getRoles();AuthenticationInfo
returned from the Realm is a SaltedAuthenticationInfo instance and its
getCredentialsSalt() method returns a non-null value.
This method and the 1.0 behavior still exists for backwards compatibility if the Realm does not return
SaltedAuthenticationInfo instances, but it is highly recommended that Realm implementations
that support hashed credentials start returning SaltedAuthenticationInfo
instances as soon as possible.
This is because salts should always be obtained from the stored account information and
never be interpreted based on user/Subject-entered data. User-entered data is easier to compromise for
attackers, whereas account-unique (and secure randomly-generated) salts never disseminated to the end-user
are almost impossible to break. This method will be removed in Shiro 2.0.null if no salt was used.HashService during hash computation, or null if no salt is
provided as part of the request.HashFormat implementations according to
heuristics defined in the getHashFormat(packageName, token) JavaDoc.Ini.Section with the given name or null if no section with that name exists.Ini instance or an empty collection if there are
no sections.null if the section or property do not exist.defaultValue if the section or
property do not exist.Ini instance or an empty collection if there are
no sections.SecureRandom backing this instance.SecurityManager instance accessible in the backing map using the
securityManagerName property as the lookup key.SecurityManager instance.SecurityManager instance to be used by the constructed Shiro Filter.Subject instance or
null if one has not yet been provided to this context.SecurityManager instance in the backing map.Serializer used to serialize and deserialize PrincipalCollection instances for
persistent remember me storage.ServletContext associated with this WebEnvironment instance.null if no
resource was found.ServletRequest received by the servlet container triggering the creation of the
Session instance.ServletRequest accessible when the Subject instance was created.ServletRequest received by the servlet container triggering the creation of the
Subject instance.ServletRequest associated with the component.ServletResponse corresponding to the associated servletRequest.ServletResponse accessible when the Subject instance was created.ServletResponse corresponding to the associated servletRequest.ServletResponse paired with the incoming
servletRequest.null if no Session could be found.Session associated with this Subject.Session associated with this Subject.Session to use when building the Subject instance.SessionFactory used to generate new Session instances.Subject instance.SessionIdGenerator used by the AbstractSessionDAO.generateSessionId(org.apache.shiro.session.Session)
method.SessionManager.SessionStorageEvaluator that will determine if a Subject's state may be persisted in
the Subject's session.HashService.Session started (was created).JcaCipherService.encrypt(java.io.InputStream, java.io.OutputStream, byte[]) and
JcaCipherService.decrypt(java.io.InputStream, java.io.OutputStream, byte[])).modeName attribute, but is used instead only for for streaming
operations (JcaCipherService.encrypt(java.io.InputStream, java.io.OutputStream, byte[]) and
JcaCipherService.decrypt(java.io.InputStream, java.io.OutputStream, byte[])).Subject associated with the currently-executing code.Subject associated with the currently-executing code.Executor instance.Subject available to the calling code depending on
runtime environment.Subject that may be in use at the time the new Subject instance is
being created.Subject instance managed by this ThreadState implementation.Subject.Subject instance, available to subclasses
since the context class attribute is marked as private.SubjectDAO responsible for persisting Subject state, typically used after login or when an
Subject identity is discovered (eg after RememberMe services).SubjectFactory responsible for creating Subject instances exposed to the application.AuthenticationFilter or null if no value should be assigned globally.JndiLdapContextFactory.getLdapContext(Object, Object) using the
systemUsername and systemPassword properties as
arguments.LdapContext connection bound using the system account, or
anonymously if no system account is configured.systemUsername that will be used when creating an
LDAP connection used for authorization queries.Session.getTimeout().Cipher
transformation string.Cipher.getInstance(java.lang.String) call.Cipher.getInstance(java.lang.String) invocation when
creating a new Cipher instance.get operation but additionally ensures that the value returned is of the specified
type.AuthenticationFilter or null if no value should be assigned globally.null if a raw HttpServletResponse.SC_UNAUTHORIZED response should be issued (401 Unauthorized).LdapContext from the LdapContextFactory.null if no
userDnTemplate has been configured.setUserDnTemplate JavaDoc for a full explanation.System.getProperty("java.version").WebEnvironment for this web application, which is typically loaded via
EnvironmentLoaderListener.WebEnvironment for this web application.RequiresGuest annotation
is declared, and if so, ensures the calling Subject does not
have an identity before invoking the method.RequiresGuest annotations in a method
declaration.RequiresGuest annotation
is declared, and if so, ensures the calling Subject does not
have an identity before invoking the method.RequiresGuest annotations in a method
declaration.true iff any of the configured realms'
ModularRealmAuthorizer.hasRole(org.apache.shiro.subject.PrincipalCollection, String) call returns true for
all roles specified, false otherwise.true if this Subject has all of the specified roles, false otherwise.true if one or more configured chains are available, false if none are configured.salt for a single iteration.salt for the specified number of iterations.Hash represents a one-way conversion algorithm that transforms an input source to an
underlying byte array.salt for a single iteration.salt for the specified number of iterations.principals are not null, returns principals.hashCode(), otherwise
returns 0 (zero).principals instance.HashedCredentialMatcher provides support for hashing of supplied AuthenticationToken credentials
before being compared to those in the AuthenticationInfo from the data store.hashAlgorithmName to hash submitted
credentials.HashFormat is able to format a Hash instance into a well-defined formatted String.HashingPasswordService is a PasswordService that performs password encryption and comparisons
based on cryptographic Hashes.token's credentials using the salt stored with the account if the
info instance is an instanceof SaltedAuthenticationInfo (see
the class-level JavaDoc for why this is the preferred approach).hashIterations times, using the given salt.HashRequest is composed of data that will be used by a HashService to compute a hash (aka
'digest').HashRequest instances.HashService hashes input sources utilizing a particular hashing strategy.null nor of length 0.true if the resource path is not null and starts with one of the recognized
resource prefixes (CLASSPATH_PREFIX,
URL_PREFIX, or FILE_PREFIX), false otherwise.true if any of the configured realms'
ModularRealmAuthorizer.hasRole(org.apache.shiro.subject.PrincipalCollection, String) call returns true,
false otherwise.true if this Subject has the specified role, false otherwise.ModularRealmAuthorizer.hasRole(org.apache.shiro.subject.PrincipalCollection, String) for each role name in the specified
collection and places the return value from each call at the respective location in the returned array.HashFormat that outputs only The hash's digest bytes in hex format.Subject being built will reflect the specified host name or IP as its originating
location.HostAuthenticationToken retains the host information from where
an authentication attempt originates.http method actions map.Session implementation that is backed entirely by a standard servlet container
HttpSession instance.Session interface that proxies another Session, but does not
allow any 'write' operations to the underlying session.Session.true if this current instance implies all the functionality and/or resource access
described by the specified Permission argument, false otherwise.Ini instance.Ini instance with the specified defaults.Ini argument.Ini resolved from the specified
resourcePath.ShiroFilterinit for each object in the collection.filterConfig and then immediately calls
onFilterConfigSet() to trigger any processing a subclass might wish to perform.WebEnvironment instance
available to the currently accessible servletContext.WebEnvironment instance for the specified ServletContext based on the
EnvironmentLoader.CONFIG_LOCATIONS_PARAM value.filter.init( getFilterConfig() );.PermissionResolver.resolvePermission(String) when the String being parsed is not
valid for that resolver.MethodInvocation, allowing implementations to perform pre/post/finally
surrounding the actual invocation.methodInvocation is allowed to execute first before proceeding by calling the
assertAuthorized method first.methodInvocation.proceed()
if authorization is allowed by first
calling assertAuthorized.MethodInvocation instance and then immediately calls
super.invoke.false to always force authentication (user is never considered authenticated by this filter).true if the request is allowed to proceed through the filter normally, or false
if the request should be handled by the
onAccessDenied(request,response,mappedValue)
method instead.true if the request is a
loginRequest or
if the current subject
is not null, false otherwise.HttpServletRequest's method, appends that
action to each configured permission (the mappedValue argument is a String[] array), and
delegates the permission check for the newly constructed permission(s) to the superclass
isAccessAllowed
implementation to perform the actual permission check.ServletRequest.isSecure().true if this Subject/user proved their identity during their current session
by providing valid credentials matching those known to the system, false otherwise.true if the constructed Subject should be considered authenticated, false
otherwise.true if authentication caching should be utilized if a CacheManager has been
configured, false otherwise.true if authentication caching should be utilized based on the specified
AuthenticationToken and/or AuthenticationInfo, false otherwise.true if authorization caching should be utilized if a CacheManager has been
configured, false otherwise.true if the specified object can be easily converted to bytes by instances of this class,
false otherwise.true if the specified object can be easily represented as a ByteSource using
the ByteSource.Util's default heuristics, false otherwise.true if the specified object is a recognized data type that can be easily converted to
bytes by instances of this class, false otherwise.true if sessions should be automatically deleted after they are discovered to be invalid,
false if invalid sessions will be manually deleted by some process external to Shiro's control.true if no sections have been configured, or if there are sections, but the sections themselves
are all empty, false otherwise.true if this collection is empty, false otherwise.true if the underlying wrapped byte array is null or empty (zero length), false
otherwise.true if this Scheduler is enabled and ready to begin validation at the appropriate time,
false otherwise.OncePerRequestFilter.isEnabled(javax.servlet.ServletRequest, javax.servlet.ServletResponse) method, but additionally allows
for inspection of any path-specific configuration values corresponding to the specified request.true if this filter should generally* execute for any request,
false if it should let the request/response pass through immediately to the next
element in the FilterChain.true if this filter should filter the specified request, false if it should let the
request/response pass through immediately to the next element in the FilterChain.true if the specified URL should be encoded with
a session identifier.true if a public salt should be randomly generated and used to compute a hash if a
HashRequest does not specify a salt, false otherwise.AuthenticationInfo
returned from the Realm is a SaltedAuthenticationInfo instance and its
getCredentialsSalt() method returns a non-null value.
This method and the 1.0 behavior still exists for backwards compatibility if the Realm does not return
SaltedAuthenticationInfo instances, but it is highly recommended that Realm implementations
that support hashed credentials start returning SaltedAuthenticationInfo
instances as soon as possible.
This is because salts should always be obtained from the stored account information and
never be interpreted based on user/Subject-entered data. User-entered data is easier to compromise for
attackers, whereas account-unique (and secure randomly-generated) salts never disseminated to the end-user
are almost impossible to break. This method will be removed in Shiro 2.0.true if this Account is locked and thus cannot be used to login, false otherwise.true if the specified authzHeader
starts with the same (case-insensitive) characters specified by the
authzScheme, false otherwise.true if the incoming request is a login request, false otherwise.isLoginAttempt.true if the request is an HTTP POST,
false otherwise.true if the mappedValue contains the AuthenticatingFilter.PERMISSIVE qualifier.true if any of the configured realms'
ModularRealmAuthorizer.isPermitted(org.apache.shiro.subject.PrincipalCollection, String) returns true,
false otherwise.true if any of the configured realms'
ModularRealmAuthorizer.isPermitted(org.apache.shiro.subject.PrincipalCollection, Permission) call returns true,
false otherwise.true if any of the configured realms'
ModularRealmAuthorizer.isPermittedAll(org.apache.shiro.subject.PrincipalCollection, String...) call returns
true, false otherwise.true if any of the configured realms'
ModularRealmAuthorizer.isPermitted(org.apache.shiro.subject.PrincipalCollection, List) call returns true,
false otherwise.true if this Subject is permitted to perform an action or access a resource summarized by the
specified permission string.true if this Subject is permitted to perform an action or access a resource summarized by the
specified permission.true if any of the configured realms'
ModularRealmAuthorizer.isPermitted(org.apache.shiro.subject.PrincipalCollection, String) call returns true
for all of the specified string permissions, false otherwise.true if any of the configured realms'
ModularRealmAuthorizer.isPermitted(org.apache.shiro.subject.PrincipalCollection, Permission) call returns true
for all of the specified Permissions, false otherwise.true if this Subject implies all of the specified permission strings, false otherwise.true if this Subject implies all of the specified permissions, false otherwise.true if LDAP connection pooling should be used when acquiring a connection based on the specified
account principal, false otherwise.true if this Subject has an identity (it is not anonymous) and the identity
(aka principals) is remembered from a successful authentication during a previous
session.true if the submitting user wishes their identity (principal(s)) to be remembered
across sessions, false otherwise.true if "rememberMe" should be enabled for the login attempt associated with the
current request, false otherwise.true if this Subject is 'running as' another identity other than its original one or
false otherwise (normal Subject state).false always.true always.true if session management and storage is managed by the underlying Servlet container or
false if managed by Shiro directly (called 'native' sessions).true if the constructed Subject should be allowed to create a session, false
otherwise.true if this Subject is allowed to create sessions, false otherwise.true if session creation is allowed (as determined by the super class's
super#isSessionCreationEnabled() value and no request-specific override has disabled sessions for this subject,
false otherwise.Session (typically because an application developer
has called subject.getSession() already), Shiro will use that existing session to store subject state.
If a Subject does not yet have a Session, this implementation checks the
sessionStorageEnabled property:
If sessionStorageEnabled is true (the default setting), a new session may be created to persist
Subject state if necessary.
If sessionStorageEnabled is false, a new session will not be created to persist
session state.
Most applications use Sessions and are OK with the default true setting for sessionStorageEnabled.true if any Subject's Session may be used to persist that Subject's state,
false otherwise.true if the specified Subject's
session may be used to persist that Subject's
state, false otherwise.true if session storage is generally available (as determined by the super class's global
configuration property DefaultSessionStorageEvaluator.isSessionStorageEnabled() and no request-specific override has turned off
session storage, false otherwise.true always.true if the constructed securityManager reference should be bound
to static memory (via
SecurityUtils.setSecurityManager),
false otherwise.true if the system's stored credential hash is Hex encoded, false if it
is Base64 encoded.true if the associated session is valid (it exists and is not stopped nor expired),
false otherwise.SessionIdGenerator that generates String values of JDK UUID's as the session IDs.CipherService implementation utilizing Java's JCA APIs.JcaCipherService instance which will use the specified cipher algorithmName
for all encryption, decryption, and key operations.LdapContextFactory implementation using the default Sun/Oracle JNDI Ldap API, utilizing JNDI
environment properties and an InitialContext.environment template with
the contextFactoryClassName equal to
com.sun.jndi.ldap.LdapCtxFactory (the Sun/Oracle default) and the default
referral behavior to follow.Realm implementation utilizing Sun's/Oracle's
JNDI API as an LDAP API.LdapContextFactory instance to a
JndiLdapContextFactory.jndiNames.Iterator into
a single String containing the provided elements.LdapContext objects that are used by JndiLdapRealms to
perform authentication attempts and query for authorization data.Initializable
or Destroyable interfaces, respectfully.order value.Initializable.init() and
Destroyable.destroy() methods cleanly on any object.classpath:shiro.ini file, or null if
the file does not exist.Ini instance.AuthenticationToken argument, and if successful, constructs a
Subject instance representing the authenticated account's identity.authenticationToken, returning an updated Subject
instance reflecting the authenticated state if successful or throwing AuthenticationException if it is
not.Session and authorization data.subject
and then redirect them to a configured redirectUrl.SecurityManager instance in the backing map without performing any non-null guarantees.MapContext provides a common base for context-based data storage in a Map.true if the given source matches the specified pattern,
false otherwise.hashAlgorithmName property.hashAlgorithmName property.CacheManager implementation usable in production
environments.ConcurrentMap.AuthenticationInfo interface to be implemented by
classes that support merging with other AuthenticationInfo instances.AuthenticationInfo into this instance.info argument into the aggregate argument and then returns an
aggregate for continued use throughout the login process.aggregate instance if is non null and valid (that is, has principals and they are
not empty) immediately, or, if it is null or not valid, the info argument is returned instead.AuthenticationInfo into this Account.info argument and adds its principals and credentials into this instance.Subject.getPrincipals() with whatever may be in
any available session.HashFormat that supports
Modular Crypt Format token rules.ModularRealmAuthenticator delgates account lookups to a pluggable (modular) collection of
Realms.enables an
AtLeastOneSuccessfulStrategy by default.Realms during an authorization operation.Realms to consult during an authorization check.PrincipalCollection that allows modification.WebEnvironment that supports 'write' operations operations.NameableFilter.getName()/NameableFilter.setName(String) methods.Native session manager is one that manages sessions natively - that is, it is directly responsible
for the creation, persistence and removal of Session instances and their
lifecycles.SubjectContext instance to be used to populate with subject contextual data that
will then be sent to the SecurityManager to create a new Subject instance.DefaultWebSubjectContext to account for the additional request/response
pair.DefaultSubjectFactory.createSubject(org.apache.shiro.subject.SubjectContext) directly if you
need to instantiate a custom Subject class.DefaultWebSubjectFactory.createSubject(org.apache.shiro.subject.SubjectContext) directly if you
need to instantiate a custom Subject class.PathMatchingFilter that will disable creating new Sessions during the request.AuthenticationListeners that
authentication failed for the
specified token which resulted in the specified ae exception.AuthenticationListeners that a
Subject has logged-out.SessionListeners that a Session has started.AuthenticationListeners that
authentication was successful for the specified token which resulted in the specified
info.value argument is not null.objectArgument.toString().token and logging subject
with this token.isAccessAllowed
method, retaining the mappedValue that was used during configuration.isAccessAllowed
method.saveRequestAndRedirectToLogin
and then immediately returns false, thereby preventing the chain from continuing so the redirect may
execute.null if there are none
of the specified type.forgetting any
previously remembered identity.Subject has failed.notifyLogout to allow any registered listeners
to react to the logout.Subject logs-out of the system.Subject logs out of the system.super.onLogout(principals) to ensure a logout notification is issued, and for each
wrapped Realm that implements the LogoutAware interface, calls
((LogoutAware)realm).onLogout(principals) to allow each realm the opportunity to perform
logout/cleanup operations during an user-logout.forgets any previously stored identity and returns.true if
isAccessAllowed(Request,Response,Object),
otherwise returns the result of
onAccessDenied(Request,Response,Object).true allowing unchecked access to the underlying path or resource.true and should be overridden by subclasses for custom
logic if necessary.Session.stop() or automatically upon a subject logging out.Subject has succeeded.forgetting any previously
stored identity.SecurityUtils and
ShiroException.CredentialsMatcher
interface and its supporting implementations.Realms).Permission
interface.Executor, ExecutorService,
and ScheduledExecutorService implementations for transparent
Subject association with threads in an asynchronous execution environment.SecurityManager interface and a default implementation
hierarchy for managing all aspects of Shiro's functionality in an application.Realm interface.Files or
text streams.SessionManager components supporting enterprise session management.Subject interface, the most important concept in
Shiro's API.org.apache.shiro.subject interfaces.org.apache.shiro.config components.Environment implementation and support.Filter implementations used to control
access to web pages and URL resources.Filter implementations specific to controlling access based on a
subject's authentication status, or those that can execute authentications (log-ins) directly.Filter implementations that perform authorization (access control)
checks based on the Subject's abilities (for example, role or permission checks).SecurityManager implementations.Subject interfaces to enable Subject use in web
environments.org.apache.shiro.web.subject package interfaces.CipherPaddingScheme represents well-known
padding schemes supported by JPA providers in a
type-safe manner.ParsableHashFormat is able to parse a formatted string and convert it into a Hash instance.CredentialsMatcher that employs best-practices comparisons for hashed text passwords.PasswordService supports common use cases when using passwords as a credentials mechanism.true if the submittedPlaintext password matches the existing savedPasswordHash,
false otherwise.true if the submittedPlaintext password matches the existing saved password,
false otherwise.true if an incoming request path (the path argument)
matches a configured filter chain path (the pattern argument), false otherwise.FilterChainResolver that resolves FilterChains based on url path
matching, as determined by a configurable PathMatcher.true if the incoming request matches the specified path pattern,
false otherwise.true if the path matches the specified pattern string,
false otherwise.RequiresPermissions annotation is
declared, and if so, performs a permission check to see if the calling Subject is allowed continued
access.RequiresPermissions annotations.RequiresPermissions annotation is declared, and if so, performs
a permission check to see if the calling Subject is allowed to call the method.RequiresPermissions annotations in a method declaration.PermisisonResolver resolves a String value and converts it into a
Permission instance.POST.bean argument.DestroyableInitializableFilter interface, automatically adds that filter
instance to the internal filters map that will be referenced
later during filter chain construction.UTF-8.subject,
a potentially Subject or request-specific
redirectUrl,
and redirects the end-user to that redirect url.true if the filter chain should be allowed to continue, false otherwise.ServletRequest instance that will be passed to the FilterChain for request
processing.ServletResponse instance that will be passed to the FilterChain for request
processing.Subject.PrincipalMap is map of all of a subject's principals - its identifying attributes like username, userId,
etc.Subject being built will reflect the specified principals (aka identity).config, unique to the given path, and returns the Filter that should
execute for that path/config combination.config argument and sets the resulting
String[] array on the appliedPaths internal Map.TextConfigurationRealm that defers all logic to the parent class, but just enables
Properties based configuration in addition to the parent class's String configuration.HashFormat implementations.FilterChain instance that proxies an original FilterChain as well
as a List of other Filters that might need to execute prior to the final wrapped
original chain.Session implementation that immediately delegates all corresponding calls to an
underlying proxied session instance.target.original FilterChain with the named chain.FilterChain instance that will first execute this list's Filters (in list order)
and end with the execution of the given filterChain instance.key to the current thread.ValidatingSessionManager.validateSessions()
method on a configured session manager.SessionValidationScheduler that uses Quartz to schedule a
job to call ValidatingSessionManager.validateSessions() on
a regular basis.AuthenticationInfo object by querying the active directory LDAP context for the
specified username.AuthenticationInfo object by querying the LDAP context for the
specified username.discovered principal and provided
credentials.AuthorizationInfo object by querying the active directory LDAP context for the
groups that a user is a member of.AuthorizationInfo object by querying the LDAP context for the
specified principal.AuthorizationInfo object by querying the LDAP context for the
specified principal.Random instance to generate random IDs.AbstractSessionDAO.doReadSession(java.io.Serializable) method.sessionId.Realm instances
in any manner desired.SecurityManager class hierarchy based around a collection of
Realms.getLoginUrl and redirects
the request to that url.saved request, or if there is no saved request, redirects the
end user to the specified fallbackUrl.PatternMatcher implementation that uses standard java.util.regex objects.#runAs runAs was called.converting them to a byte
array and then remembers that
byte array.AuthenticationToken that indicates if the user wishes their identity to be remembered across sessions.AbstractRememberMeManager.getRememberedSerializedIdentity(SubjectContext) method.key from the current
thread.Removes the underlying ThreadLocal from the thread.throws an InvalidSessionException in all
cases because this proxy is immutable.Session under the given attributeKey.key name.null if the section did not exist.RequestPairSource is a component that can supply a ServletRequest and
ServletResponse pair associated with a currently executing request.Class.Subject to have all of the
specified roles.ObjectStreamClass by delegating to Shiro's
ClassUtils.forName(String) utility method, which is known to work in all ClassLoader environments.WildcardPermission instance constructed based on the specified
permissionString.PrincipalCollection) for the context using heuristics.SecurityManager instance that should be used to back the constructed Subject
instance (typically used to support DelegatingSubject implementations).Session to ensure it may be referenced if necessary by the
invoked SubjectFactory that performs actual Subject construction.WebEnvironments that can be initialized via resource paths (config files).true if the resource at the specified path exists, false otherwise.Stream-backed resources.Removes all thread-state that was bound by this instance.bind was invoked.RequiresRoles annotation is declared, and if so, performs
a role check to see if the calling Subject is allowed to proceed.RequiresRoles annotations.RequiresRoles annotation is declared, and if so, performs
a role check to see if the calling Subject is allowed to invoke the method.RequiresRoles annotations in a method declaration.Permission instances.Binds the Subject thread state, executes the target Runnable and then guarantees
the previous thread state's restoration:session only
if sessionStorageEnabled(subject).Session key used to save a request and later restore it, for example when redirecting to a
requested page after login, equal to shiroSavedRequest.WebUtils.saveRequest(request) to save the request
state for reuse later.session.RandomNumberGenerator interface, backed by a
SecureRandom instance.SecureRandom and a
defaultNextBytesSize of 16, which equals 128 bits, a size commonly
used in cryptographic algorithms.RemoteInvocationExecutor
that binds a sessionId to the incoming thread to make it available to the SecurityManager
implementation during the thread execution.RemoteInvocationFactory that passes the session ID to the server via a
RemoteInvocation attribute.SecurityManager executes all security operations for all Subjects (aka users) across a
single application.Subject for the calling code depending on runtime environment.401 (Unauthorized) status as well as the
response's AUTHENTICATE_HEADER.ObjectOutputStream backed by a
ByteArrayOutputStream.source into a byte[] array by using the
XMLEncoder to encode the object out to a
ByteArrayOutputStream, where the resulting byte[] array is returned.principals by serializing them to a byte array by using the
serializer's serialize method.Serializer converts objects to raw binary data and vice versa, enabling persistent storage
of objects to files, HTTP cookies, or other mechanism.Session implementations that are merely wrappers for the
Servlet container's HttpSession.ServletContext.Session is a stateful data context associated with a single Subject (user, daemon process,
etc) who interacts with a software system over a period of time.Subject being built will use the specified Session instance.SessionContext is a 'bucket' of data presented to a SessionFactory which interprets
this data to construct Session instances.Session if one does not
already exist.Session access to an
EIS (Enterprise Information System).Session instances.SessionDAO
implementations.SessionKey is a key that allows look-up of any particular Session
instance.Session's life cycle.SessionListener interface, effectively providing
no-op implementations of all methods.Sessions.SecurityManager class hierarchy that delegates all
session operations to a wrapped
SessionManager instance.SessionManager delegate
instance.Subject's Session
to persist that Subject's internal state.CacheManager.HashService should use when computing the Hash.WWW-Authenticate header.throws an InvalidSessionException in all
cases because this proxy is immutable.value to the associated session uniquely identified by the attributeKey.value to this session, uniquely identified by the specifed
key name.WWW-Authenticate header scheme that this filter will use when sending the
HTTP Basic challenge response.Subject instance should be considered as authenticated.Cache instance to use for authentication caching.Cache to lookup from any available cacheManager if
a cache is not explicitly configured via AuthenticatingRealm.setAuthenticationCache(org.apache.shiro.cache.Cache).CacheManager has been
configured, false otherwise.AuthenticationListeners that should be notified during authentication
attempts.AuthenticationStrategy utilized during multi-realm log-in attempts.Authenticator instance that this SecurityManager uses to perform all
authentication operations.CacheManager has been
configured, false otherwise.Authorization header value that this filter will respond to as indicating a
login request.Cipher transformation string.CacheManager instance.SecurityManager and potentially any of its
children components.activeSessionsCache if
one is not configured.CacheManager has been
configured.CipherService to use for encrypting and decrypting serialized identity data to prevent easy
inspection of Subject identity data.SecurityManager and
FilterChainResolver used by the web application.config attribute.RememberMeManager.principals, such as a password or private key.null if no salt
is used or credentials are not hashed at all.null if no salt was used or credentials were not
hashed at all.nextBytes().filterChainDefinitionMap
property by accepting a Properties-compatible string (multi-line key/value pairs).WebEnvironment's FilterChainResolver.FilterConfig provided by the Servlet container at webapp startup.ServletContext as attributes of this class for use by
subclasses.filter chain definitions.hash-format-alias-to-fullyQualifiedHashFormatClassNameImplementation map to be used in
the DefaultHashFormatFactory.getInstance(String) implementation.HashRequest does not specify a salt.AnnotationHandler used to perform authorization behavior based on
an annotation discovered at runtime.Hash algorithmName to use
when performing hashes for credentials matching.MessageDigest algorithm that will be used to compute
hashes.AuthenticationToken's credentials will be hashed before comparing
to the credentials stored in the system.AuthenticationInfo
returned from the Realm is a SaltedAuthenticationInfo instance and its
getCredentialsSalt() method returns a non-null value.
This method and the 1.0 behavior still exists for backwards compatibility if the Realm does not return
SaltedAuthenticationInfo instances, but it is highly recommended that Realm implementations
that support hashed credentials start returning SaltedAuthenticationInfo
instances as soon as possible.
This is because salts should always be obtained from the stored account information and
never be interpreted based on user/Subject-entered data. User-entered data is easier to compromise for
attackers, whereas account-unique (and secure randomly-generated) salts never disseminated to the end-user
are almost impossible to break. This method will be removed in Shiro 2.0.Subject is initiating the
Session.Subject's originating location.Ini instance instead of via
config locations.Hash result.Realm.LdapContextFactory implementation that is used to create LDAP connections for
authentication and authorization.AccessControlFilter.Cipher transformation string.Cipher transformation string.Cipher transformation string.PatternMatcher used when determining if an incoming request's path
matches a configured filter chain.PermissionResolver on all of the wrapped realms that
implement the PermissionResolverAware interface.Subject should reflect.LdapContextFactory.RealmSecurityManager.setRealms(java.util.Collection<org.apache.shiro.realm.Realm>) method.Authorizer which are consulted during an authorization check.WebSubject.Builder constructor, this method places the request object in the
context map for later retrieval.AnnotationResolver to use to acquire annotations from intercepted
methods at runtime.WebSubject.Builder constructor, this method places the response object in the
context map for later retrieval.RolePermissionResolver on all of the wrapped realms that
implement the PermissionResolverAware interface.HashService during hash computation.HashService during hash computation.LdapContextFactory.HashFormat implementations according to
heuristics defined in the getHashFormat(packageName, token) JavaDoc.sectionName.SecureRandom to back this instance.getSubject() implementation.SecurityManager instance to be used by the constructed Shiro Filter.Subject instance
(typically used to support DelegatingSubject implementations).SecurityManager instance in the backing map.SecureRandom instance with additional seed data.Serializer used to serialize and deserialize PrincipalCollection instances for
persistent remember me storage.WebEnvironment's associated ServletContext instance.ServletRequest received by the servlet container triggering the creation of the
Session instance.ServletRequest received by the servlet container triggering the creation of the
Subject instance.ServletResponse corresponding to the associated servletRequest.ServletResponse corresponding to the associated servletRequest.Session to use when building the Subject instance.Subject instance should be allowed to create a session,
false otherwise.SessionFactory used to generate new Session instances.Subject instance.SessionIdGenerator used by the AbstractSessionDAO.generateSessionId(org.apache.shiro.session.Session)
method.SessionManager instance that will be used to support this implementation's
SessionManager method calls.Session may be used to persist that Subject's state.SessionStorageEvaluator that will determine if a Subject's state may be persisted in
the Subject's session.setSessionValidationScheduler method is
never called) , this method allows one to specify how
frequently session should be validated (to check for orphans).ValidatingSessionManager#validateSessions() method.HashService.HashService.securityManager reference should be bound
to static memory (via SecurityUtils.setSecurityManager).JcaCipherService.encrypt(java.io.InputStream, java.io.OutputStream, byte[]) and
JcaCipherService.decrypt(java.io.InputStream, java.io.OutputStream, byte[])).Subject that may be in use at the time the new Subject instance is
being created.SubjectDAO responsible for persisting Subject state, typically used after login or when an
Subject identity is discovered (eg after RememberMe services).SubjectFactory responsible for creating Subject instances exposed to the application.AuthenticationFilter.LdapContextFactory.systemUsername that will be used when creating an
LDAP connection used for authorization queries.LdapContextFactory.throws an InvalidSessionException in all
cases because this proxy is immutable.AuthorizationFilter.LdapContextFactory.WebEnvironment's WebSecurityManager.hashAlgorithmName property.hashAlgorithmName property.hashAlgorithmName property.hashAlgorithmName property.Shiro1CryptFormat is a fully reversible
Modular Crypt Format (MCF).FactoryBean to be used in Spring-based web applications for
defining the master Shiro Filter.ShiroHttpServletRequest wraps the Servlet container's original ServletRequest instance, but ensures
that all HttpServletRequest invocations that require Shiro's support (getRemoteUser,
getSession, etc) can be executed first by Shiro as necessary before allowing the underlying
Servlet container instance's method to be invoked.Session under the hood for all session operations instead of the
Servlet Container's session mechanism.SecurityManager and SessionManager.WebSecurityManager, SecurityManager and SessionManager.true if the Ini contains account data and a Realm should be implicitly
created to reflect the account data, false if no realm should be implicitly
created.OncePerRequestFilter.isEnabled(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
for custom behavior. This method will be removed in Shiro 2.0.Account interface that
contains principal and credential and authorization information (roles and permissions) as instance variables and
exposes them via getters and setters using standard JavaBean notation.Realm interface that
uses a set of configured user accounts and roles to support authentication and authorization.MergableAuthenticationInfo interface that holds the principals and
credentials.AuthorizationInfo interface that stores roles and permissions as internal
attributes.ByteSource implementation that maintains an internal byte[] array and uses the
Hex and Base64 codec classes to support the
toHex() and toBase64() implementations.Cookie implementation.Hash implementation that allows any MessageDigest algorithm name to
be used.algorithmName set - no hashing is performed.algorithmName-specific hash of the specified source with no salt using a
single hash iteration.algorithmName-specific hash of the specified source using the given salt
using a single hash iteration.algorithmName-specific hash of the specified source using the given
salt a total of hashIterations times.HashRequest that can be used when interacting with a HashService.SimpleNamedFilterList instance with the specified name, defaulting to a new
ArrayList instance as the backing list.SimpleNamedFilterList instance with the specified name and backingList.MutablePrincipalCollection interface that tracks principals internally
by storing them in a LinkedHashMap.PrincipalMap interface.Session JavaBeans-compatible POJO implementation, intended to be used on the
business/server tier.SessionFactory implementation that generates SimpleSession instances.0 if the collection is null.0 if the map is null.SoftHashMap is a memory-constrained map that stores its values in
SoftReferences.DEFAULT_RETENTION_SIZE (100 entries).SoftHashMap backed by the specified source, with a default retention
size of DEFAULT_RETENTION_SIZE (100 entries).SoftHashMap backed by the specified source, with the specified retention size.delimited string (delimited by the specified separator character) and returns the
delimited values as a Set.AnnotationResolver implementation that uses Spring's more robust
AnnotationUtils to find method annotations instead of the JDKs simpler
(and rather lacking) Method.getAnnotation(class)
implementation.throws an InvalidSessionException in all
cases because this proxy is immutable.Subject represents state and security operations for a single application user.Subject instances in a simplified way without
requiring knowledge of Shiro's construction techniques.Subject.Builder instance, using the SecurityManager instance available
to the calling code as determined by a call to SecurityUtils.getSecurityManager()
to build the Subject instance.Subject.Builder instance which will use the specified SecurityManager when
building the Subject instance.ExecutorService implementation that will automatically first associate any argument
Runnable or Callable instances with the currently available subject and then
dispatch the Subject-enabled runnable or callable to an underlying delegate
ExecutorService instance.SubjectAwareExecutorService but additionally supports the
ScheduledExecutorService interface.SubjectContext is a 'bucket' of data presented to a SecurityManager which interprets
this data to construct Subject instances.SubjectDAO is responsible for persisting a Subject instance's internal state such that the Subject instance
can be recreated at a later time if necessary.SubjectFactory is responsible for constructing Subject instances as needed.SubjectRunnable ensures that a target/delegate Runnable will execute such that any
call to SecurityUtils.getSubject() during the
Runnable's execution will return the associated Subject instance.SubjectRunnable that, when executed, will execute the target delegate, but
guarantees that it will run associated with the specified Subject.SubjectRunnable that, when executed, will perform thread state
binding and guaranteed restoration before and after the
Runnable's execution, respectively.Subject access (supporting
SecurityUtils.getSubject() calls)
during a thread's execution.SubjectThreadState that will bind and unbind the specified Subject to the
threadtrue if this interceptor supports, that is, should inspect, the specified
MethodInvocation, false otherwise.AuthenticationToken instance, false otherwise.ThreadState instance manages any state that might need to be bound and/or restored during a thread's
execution.InvalidSessionException indicating that this proxy is immutable.byte array.byte array.PREFERRED_ENCODING.CodecException if the encoding fails.InputStream into a byte array.ByteSource instance.PREFERRED_ENCODING.delimiter argument.delimiter argument.byte array.byte array.ServletRequest to an
HttpServletRequest:
return (HttpServletRequest)request;
Logic could be changed in the future for logging or throwing an meaningful exception in
non HTTP request environments (e.g.ServletResponse to an
HttpServletResponse:
return (HttpServletResponse)response;
Logic could be changed in the future for logging or throwing an meaningful exception in
non HTTP request environments (e.g.principals.toString() if they are not null, otherwise prints out the string
"empty"principals.toString()PREFERRED_ENCODING.toHex().toHex().getClass().getName() + ",id=" + getId().toStringBuilder() method, a better-performing alternative.name, or if the name is null, just the
super.toStringBuilder() instance.toString(), but returns a StringBuilder instance instead.throws an InvalidSessionException in all
cases because this proxy is immutable.sessionId.lastAccessTime of this session to the current time when
this method is invoked.SecurityManager instance, but Shiro's
lookup heuristics cannot find one.DefaultSecurityManager.delete(org.apache.shiro.subject.Subject)RuntimeException equivalent of the JDK's
ClassNotFoundException, to maintain a RuntimeException paradigm.AuthenticationToken implementation is encountered that is not
supported by one or more configured Realms.CachingSessionDAO.doUpdate(org.apache.shiro.session.Session).{@link Session#getId() session.getId()}.url:URLEncoder.encode(input, enc).RequiresUser annotation
is declared, and if so, ensures the calling Subject is either
authenticated or remembered via remember
me services before allowing access.RequiresUser annotations.RequiresUser annotation
is declared, and if so, ensures the calling Subject is either
authenticated or remembered via remember
me services before invoking the method.RequiresUser annotations in a method
declaration.host and a
rememberMe default of false.host and
a rememberMe default of false
environment settings and throws an exception if a problem
exists.ValidatingSession is a Session that is capable of determining it is valid or not and
is able to validate itself if necessary.WebSubject implementation that additional ensures the ability to retain a
servlet request/response pair to be used by internal shiro components as necessary during the request execution.Environment instance, used in web applications.WebIniSecurityManagerFactory.createDefaultInstance() method, to
ensure a web-capable SecurityManager instance is created by default.WebIniSecurityManagerFactory instance which will construct web-capable
SecurityManager instances.WebIniSecurityManagerFactory instance which will construct web-capable
SecurityManager instances.SecurityManager implementation that can used in web-enabled applications.WebSubjectContext is a SessionContext that additionally provides for type-safe
methods to set and retrieve a ServletRequest and ServletResponse, as the request/response pair will
often need to be referenced during construction of web-initiated Session instances.SessionKey implementation that also retains the
ServletRequest and ServletResponse associated with the web request that is performing the
session lookup.SessionManager specific to web-enabled applications.WebSubject represents a Subject instance that was acquired as a result of an incoming
ServletRequest.WebSubject.Builder performs the same function as a Subject.Builder, but
additionally ensures that the Servlet request/response pair that is triggering the Subject instance's creation
is retained for use by internal Shiro components as necessary.Web.Builder instance using the SecurityManager obtained by
calling SecurityUtils.getSecurityManager().Web.Builder instance using the specified SecurityManager instance to
create the WebSubject instance.WebSubjectContext is a SubjectContext that additionally provides for type-safe
methods to set and retrieve a ServletRequest and ServletResponse.WildcardPermission is a very flexible permission construct supporting multiple levels of
permission matching.WildcardPermission
based on the input string.ShiroHttpServletRequest, which is required for supporting
Servlet Specification behavior backed by a Subject instance.ShiroHttpServletResponse instance, wrapping the orig argument, in order to provide
correct URL rewriting behavior required by the Servlet Specification when using Shiro-based sessions (and not
Servlet Container HTTP-based sessions).XMLEncoder and XMLDecoder to serialize
and deserialize, respectively.true if a session is allowed to be created for a subject-associated request, false
otherwise.true if a session is allowed to be created for a subject-associated request, false
otherwise.Copyright © 2004-2016 The Apache Software Foundation. All Rights Reserved.