1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.shiro.web.mgt;
20
21 import org.apache.shiro.mgt.DefaultSecurityManager;
22 import org.apache.shiro.mgt.DefaultSubjectDAO;
23 import org.apache.shiro.mgt.SessionStorageEvaluator;
24 import org.apache.shiro.mgt.SubjectDAO;
25 import org.apache.shiro.realm.Realm;
26 import org.apache.shiro.session.mgt.SessionContext;
27 import org.apache.shiro.session.mgt.SessionKey;
28 import org.apache.shiro.session.mgt.SessionManager;
29 import org.apache.shiro.subject.Subject;
30 import org.apache.shiro.subject.SubjectContext;
31 import org.apache.shiro.util.LifecycleUtils;
32 import org.apache.shiro.web.servlet.ShiroHttpServletRequest;
33 import org.apache.shiro.web.session.mgt.*;
34 import org.apache.shiro.web.subject.WebSubject;
35 import org.apache.shiro.web.subject.WebSubjectContext;
36 import org.apache.shiro.web.subject.support.DefaultWebSubjectContext;
37 import org.apache.shiro.web.util.WebUtils;
38 import org.slf4j.Logger;
39 import org.slf4j.LoggerFactory;
40
41 import javax.servlet.ServletRequest;
42 import javax.servlet.ServletResponse;
43 import java.io.Serializable;
44 import java.util.Collection;
45
46
47
48
49
50
51
52
53 public class DefaultWebSecurityManager extends DefaultSecurityManager implements WebSecurityManager {
54
55
56
57 private static final Logger log = LoggerFactory.getLogger(DefaultWebSecurityManager.class);
58
59 @Deprecated
60 public static final String HTTP_SESSION_MODE = "http";
61 @Deprecated
62 public static final String NATIVE_SESSION_MODE = "native";
63
64
65
66
67 @Deprecated
68 private String sessionMode;
69
70 public DefaultWebSecurityManager() {
71 super();
72 ((DefaultSubjectDAO) this.subjectDAO).setSessionStorageEvaluator(new DefaultWebSessionStorageEvaluator());
73 this.sessionMode = HTTP_SESSION_MODE;
74 setSubjectFactory(new DefaultWebSubjectFactory());
75 setRememberMeManager(new CookieRememberMeManager());
76 setSessionManager(new ServletContainerSessionManager());
77 }
78
79 @SuppressWarnings({"UnusedDeclaration"})
80 public DefaultWebSecurityManager(Realm singleRealm) {
81 this();
82 setRealm(singleRealm);
83 }
84
85 @SuppressWarnings({"UnusedDeclaration"})
86 public DefaultWebSecurityManager(Collection<Realm> realms) {
87 this();
88 setRealms(realms);
89 }
90
91 @Override
92 protected SubjectContext createSubjectContext() {
93 return new DefaultWebSubjectContext();
94 }
95
96 @Override
97
98 public void setSubjectDAO(SubjectDAO subjectDAO) {
99 super.setSubjectDAO(subjectDAO);
100 applySessionManagerToSessionStorageEvaluatorIfPossible();
101 }
102
103
104 @Override
105 protected void afterSessionManagerSet() {
106 super.afterSessionManagerSet();
107 applySessionManagerToSessionStorageEvaluatorIfPossible();
108 }
109
110
111 private void applySessionManagerToSessionStorageEvaluatorIfPossible() {
112 SubjectDAO subjectDAO = getSubjectDAO();
113 if (subjectDAO instanceof DefaultSubjectDAO) {
114 SessionStorageEvaluator evaluator = ((DefaultSubjectDAO)subjectDAO).getSessionStorageEvaluator();
115 if (evaluator instanceof DefaultWebSessionStorageEvaluator) {
116 ((DefaultWebSessionStorageEvaluator)evaluator).setSessionManager(getSessionManager());
117 }
118 }
119 }
120
121 @Override
122 protected SubjectContext copy(SubjectContext subjectContext) {
123 if (subjectContext instanceof WebSubjectContext) {
124 return new DefaultWebSubjectContext((WebSubjectContext) subjectContext);
125 }
126 return super.copy(subjectContext);
127 }
128
129 @SuppressWarnings({"UnusedDeclaration"})
130 @Deprecated
131 public String getSessionMode() {
132 return sessionMode;
133 }
134
135
136
137
138
139 @Deprecated
140 public void setSessionMode(String sessionMode) {
141 log.warn("The 'sessionMode' property has been deprecated. Please configure an appropriate WebSessionManager " +
142 "instance instead of using this property. This property/method will be removed in a later version.");
143 String mode = sessionMode;
144 if (mode == null) {
145 throw new IllegalArgumentException("sessionMode argument cannot be null.");
146 }
147 mode = sessionMode.toLowerCase();
148 if (!HTTP_SESSION_MODE.equals(mode) && !NATIVE_SESSION_MODE.equals(mode)) {
149 String msg = "Invalid sessionMode [" + sessionMode + "]. Allowed values are " +
150 "public static final String constants in the " + getClass().getName() + " class: '"
151 + HTTP_SESSION_MODE + "' or '" + NATIVE_SESSION_MODE + "', with '" +
152 HTTP_SESSION_MODE + "' being the default.";
153 throw new IllegalArgumentException(msg);
154 }
155 boolean recreate = this.sessionMode == null || !this.sessionMode.equals(mode);
156 this.sessionMode = mode;
157 if (recreate) {
158 LifecycleUtils.destroy(getSessionManager());
159 SessionManager sessionManager = createSessionManager(mode);
160 this.setInternalSessionManager(sessionManager);
161 }
162 }
163
164 @Override
165 public void setSessionManager(SessionManager sessionManager) {
166 this.sessionMode = null;
167 if (sessionManager != null && !(sessionManager instanceof WebSessionManager)) {
168 if (log.isWarnEnabled()) {
169 String msg = "The " + getClass().getName() + " implementation expects SessionManager instances " +
170 "that implement the " + WebSessionManager.class.getName() + " interface. The " +
171 "configured instance is of type [" + sessionManager.getClass().getName() + "] which does not " +
172 "implement this interface.. This may cause unexpected behavior.";
173 log.warn(msg);
174 }
175 }
176 setInternalSessionManager(sessionManager);
177 }
178
179
180
181
182
183 private void setInternalSessionManager(SessionManager sessionManager) {
184 super.setSessionManager(sessionManager);
185 }
186
187
188
189
190 public boolean isHttpSessionMode() {
191 SessionManager sessionManager = getSessionManager();
192 return sessionManager instanceof WebSessionManager && ((WebSessionManager)sessionManager).isServletContainerSessions();
193 }
194
195 protected SessionManager createSessionManager(String sessionMode) {
196 if (sessionMode == null || !sessionMode.equalsIgnoreCase(NATIVE_SESSION_MODE)) {
197 log.info("{} mode - enabling ServletContainerSessionManager (HTTP-only Sessions)", HTTP_SESSION_MODE);
198 return new ServletContainerSessionManager();
199 } else {
200 log.info("{} mode - enabling DefaultWebSessionManager (non-HTTP and HTTP Sessions)", NATIVE_SESSION_MODE);
201 return new DefaultWebSessionManager();
202 }
203 }
204
205 @Override
206 protected SessionContext createSessionContext(SubjectContext subjectContext) {
207 SessionContext sessionContext = super.createSessionContext(subjectContext);
208 if (subjectContext instanceof WebSubjectContext) {
209 WebSubjectContext wsc = (WebSubjectContext) subjectContext;
210 ServletRequest request = wsc.resolveServletRequest();
211 ServletResponse response = wsc.resolveServletResponse();
212 DefaultWebSessionContext webSessionContext = new DefaultWebSessionContext(sessionContext);
213 if (request != null) {
214 webSessionContext.setServletRequest(request);
215 }
216 if (response != null) {
217 webSessionContext.setServletResponse(response);
218 }
219
220 sessionContext = webSessionContext;
221 }
222 return sessionContext;
223 }
224
225 @Override
226 protected SessionKey getSessionKey(SubjectContext context) {
227 if (WebUtils.isWeb(context)) {
228 Serializable sessionId = context.getSessionId();
229 ServletRequest request = WebUtils.getRequest(context);
230 ServletResponse response = WebUtils.getResponse(context);
231 return new WebSessionKey(sessionId, request, response);
232 } else {
233 return super.getSessionKey(context);
234
235 }
236 }
237
238 @Override
239 protected void beforeLogout(Subject subject) {
240 super.beforeLogout(subject);
241 removeRequestIdentity(subject);
242 }
243
244 protected void removeRequestIdentity(Subject subject) {
245 if (subject instanceof WebSubject) {
246 WebSubject webSubject = (WebSubject) subject;
247 ServletRequest request = webSubject.getServletRequest();
248 if (request != null) {
249 request.setAttribute(ShiroHttpServletRequest.IDENTITY_REMOVED_KEY, Boolean.TRUE);
250 }
251 }
252 }
253 }