SecureRemoteInvocationFactory.java
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.shiro.spring.remoting;
import org.aopalliance.intercept.MethodInvocation;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.session.Session;
import org.apache.shiro.session.mgt.NativeSessionManager;
import org.apache.shiro.session.mgt.SessionKey;
import org.apache.shiro.session.mgt.SessionManager;
import org.apache.shiro.subject.Subject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.remoting.support.DefaultRemoteInvocationFactory;
import org.springframework.remoting.support.RemoteInvocation;
import org.springframework.remoting.support.RemoteInvocationFactory;
import java.io.Serializable;
/**
* A {@link RemoteInvocationFactory} that passes the session ID to the server via a
* {@link RemoteInvocation} {@link RemoteInvocation#getAttribute(String) attribute}.
* This factory is the client-side part of
* the Shiro Spring remoting invocation. A {@link SecureRemoteInvocationExecutor} should
* be used to export the server-side remote services to ensure that the appropriate
* Subject and Session are bound to the remote thread during execution.
*
* @since 0.1
*/
public class SecureRemoteInvocationFactory extends DefaultRemoteInvocationFactory {
private static final Logger log = LoggerFactory.getLogger(SecureRemoteInvocationFactory.class);
public static final String SESSION_ID_KEY = SecureRemoteInvocationFactory.class.getName() + ".SESSION_ID_KEY";
public static final String HOST_KEY = SecureRemoteInvocationFactory.class.getName() + ".HOST_KEY";
private static final String SESSION_ID_SYSTEM_PROPERTY_NAME = "shiro.session.id";
private String sessionId;
public SecureRemoteInvocationFactory() {
}
public SecureRemoteInvocationFactory(String sessionId) {
this();
this.sessionId = sessionId;
}
/**
* Creates a {@link RemoteInvocation} with the current session ID as an
* {@link RemoteInvocation#getAttribute(String) attribute}.
*
* @param mi the method invocation that the remote invocation should be based on.
* @return a remote invocation object containing the current session ID as an attribute.
*/
public RemoteInvocation createRemoteInvocation(MethodInvocation mi) {
Serializable sessionId = null;
String host = null;
boolean sessionManagerMethodInvocation = false;
//If the calling MI is for a remoting SessionManager delegate, we need to acquire the session ID from the method
//argument and NOT interact with SecurityUtils/subject.getSession to avoid a stack overflow
Class miDeclaringClass = mi.getMethod().getDeclaringClass();
if (SessionManager.class.equals(miDeclaringClass) || NativeSessionManager.class.equals(miDeclaringClass)) {
sessionManagerMethodInvocation = true;
//for SessionManager calls, all method calls except the 'start' methods require a SessionKey
// as the first argument, so just get it from there:
if (!mi.getMethod().getName().equals("start")) {
SessionKey key = (SessionKey) mi.getArguments()[0];
sessionId = key.getSessionId();
}
}
//tried the delegate. Use the injected session id if given
if (sessionId == null) sessionId = this.sessionId;
// If sessionId is null, only then try the Subject:
if (sessionId == null) {
try {
// HACK Check if can get the securityManager - this'll cause an exception if it's not set
SecurityUtils.getSecurityManager();
if (!sessionManagerMethodInvocation) {
Subject subject = SecurityUtils.getSubject();
Session session = subject.getSession(false);
if (session != null) {
sessionId = session.getId();
host = session.getHost();
}
}
}
catch (Exception e) {
log.trace("No security manager set. Trying next to get session id from system property");
}
}
//No call to the sessionManager, and the Subject doesn't have a session. Try a system property
//as a last result:
if (sessionId == null) {
if (log.isTraceEnabled()) {
log.trace("No Session found for the currently executing subject via subject.getSession(false). " +
"Attempting to revert back to the 'shiro.session.id' system property...");
}
sessionId = System.getProperty(SESSION_ID_SYSTEM_PROPERTY_NAME);
if (sessionId == null && log.isTraceEnabled()) {
log.trace("No 'shiro.session.id' system property found. Heuristics have been exhausted; " +
"RemoteInvocation will not contain a sessionId.");
}
}
RemoteInvocation ri = new RemoteInvocation(mi);
if (sessionId != null) {
ri.addAttribute(SESSION_ID_KEY, sessionId);
}
if (host != null) {
ri.addAttribute(HOST_KEY, host);
}
return ri;
}
}