DefaultSessionManager.java
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.shiro.session.mgt;
import org.apache.shiro.cache.CacheManager;
import org.apache.shiro.cache.CacheManagerAware;
import org.apache.shiro.session.Session;
import org.apache.shiro.session.UnknownSessionException;
import org.apache.shiro.session.mgt.eis.MemorySessionDAO;
import org.apache.shiro.session.mgt.eis.SessionDAO;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.Serializable;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
/**
* Default business-tier implementation of a {@link ValidatingSessionManager}. All session CRUD operations are
* delegated to an internal {@link SessionDAO}.
*
* @since 0.1
*/
public class DefaultSessionManager extends AbstractValidatingSessionManager implements CacheManagerAware {
//TODO - complete JavaDoc
private static final Logger log = LoggerFactory.getLogger(DefaultSessionManager.class);
private SessionFactory sessionFactory;
protected SessionDAO sessionDAO; //todo - move SessionDAO up to AbstractValidatingSessionManager?
private CacheManager cacheManager;
private boolean deleteInvalidSessions;
public DefaultSessionManager() {
this.deleteInvalidSessions = true;
this.sessionFactory = new SimpleSessionFactory();
this.sessionDAO = new MemorySessionDAO();
}
public void setSessionDAO(SessionDAO sessionDAO) {
this.sessionDAO = sessionDAO;
applyCacheManagerToSessionDAO();
}
public SessionDAO getSessionDAO() {
return this.sessionDAO;
}
/**
* Returns the {@code SessionFactory} used to generate new {@link Session} instances. The default instance
* is a {@link SimpleSessionFactory}.
*
* @return the {@code SessionFactory} used to generate new {@link Session} instances.
* @since 1.0
*/
public SessionFactory getSessionFactory() {
return sessionFactory;
}
/**
* Sets the {@code SessionFactory} used to generate new {@link Session} instances. The default instance
* is a {@link SimpleSessionFactory}.
*
* @param sessionFactory the {@code SessionFactory} used to generate new {@link Session} instances.
* @since 1.0
*/
public void setSessionFactory(SessionFactory sessionFactory) {
this.sessionFactory = sessionFactory;
}
/**
* Returns {@code true} if sessions should be automatically deleted after they are discovered to be invalid,
* {@code false} if invalid sessions will be manually deleted by some process external to Shiro's control. The
* default is {@code true} to ensure no orphans exist in the underlying data store.
* <h4>Usage</h4>
* It is ok to set this to {@code false} <b><em>ONLY</em></b> if you have some other process that you manage yourself
* that periodically deletes invalid sessions from the backing data store over time, such as via a Quartz or Cron
* job. If you do not do this, the invalid sessions will become 'orphans' and fill up the data store over time.
* <p/>
* This property is provided because some systems need the ability to perform querying/reporting against sessions in
* the data store, even after they have stopped or expired. Setting this attribute to {@code false} will allow
* such querying, but with the caveat that the application developer/configurer deletes the sessions themselves by
* some other means (cron, quartz, etc).
*
* @return {@code true} if sessions should be automatically deleted after they are discovered to be invalid,
* {@code false} if invalid sessions will be manually deleted by some process external to Shiro's control.
* @since 1.0
*/
public boolean isDeleteInvalidSessions() {
return deleteInvalidSessions;
}
/**
* Sets whether or not sessions should be automatically deleted after they are discovered to be invalid. Default
* value is {@code true} to ensure no orphans will exist in the underlying data store.
* <h4>WARNING</h4>
* Only set this value to {@code false} if you are manually going to delete sessions yourself by some process
* (quartz, cron, etc) external to Shiro's control. See the
* {@link #isDeleteInvalidSessions() isDeleteInvalidSessions()} JavaDoc for more.
*
* @param deleteInvalidSessions whether or not sessions should be automatically deleted after they are discovered
* to be invalid.
* @since 1.0
*/
@SuppressWarnings({"UnusedDeclaration"})
public void setDeleteInvalidSessions(boolean deleteInvalidSessions) {
this.deleteInvalidSessions = deleteInvalidSessions;
}
public void setCacheManager(CacheManager cacheManager) {
this.cacheManager = cacheManager;
applyCacheManagerToSessionDAO();
}
/**
* Sets the internal {@code CacheManager} on the {@code SessionDAO} if it implements the
* {@link org.apache.shiro.cache.CacheManagerAware CacheManagerAware} interface.
* <p/>
* This method is called after setting a cacheManager via the
* {@link #setCacheManager(org.apache.shiro.cache.CacheManager) setCacheManager} method <em>em</em> when
* setting a {@code SessionDAO} via the {@link #setSessionDAO} method to allow it to be propagated
* in either case.
*
* @since 1.0
*/
private void applyCacheManagerToSessionDAO() {
if (this.cacheManager != null && this.sessionDAO != null && this.sessionDAO instanceof CacheManagerAware) {
((CacheManagerAware) this.sessionDAO).setCacheManager(this.cacheManager);
}
}
protected Session doCreateSession(SessionContext context) {
Session s = newSessionInstance(context);
if (log.isTraceEnabled()) {
log.trace("Creating session for host {}", s.getHost());
}
create(s);
return s;
}
protected Session newSessionInstance(SessionContext context) {
return getSessionFactory().createSession(context);
}
/**
* Persists the given session instance to an underlying EIS (Enterprise Information System). This implementation
* delegates and calls
* <code>this.{@link SessionDAO sessionDAO}.{@link SessionDAO#create(org.apache.shiro.session.Session) create}(session);<code>
*
* @param session the Session instance to persist to the underlying EIS.
*/
protected void create(Session session) {
if (log.isDebugEnabled()) {
log.debug("Creating new EIS record for new session instance [" + session + "]");
}
sessionDAO.create(session);
}
@Override
protected void onStop(Session session) {
if (session instanceof SimpleSession) {
SimpleSession ss = (SimpleSession) session;
Date stopTs = ss.getStopTimestamp();
ss.setLastAccessTime(stopTs);
}
onChange(session);
}
@Override
protected void afterStopped(Session session) {
if (isDeleteInvalidSessions()) {
delete(session);
}
}
protected void onExpiration(Session session) {
if (session instanceof SimpleSession) {
((SimpleSession) session).setExpired(true);
}
onChange(session);
}
@Override
protected void afterExpired(Session session) {
if (isDeleteInvalidSessions()) {
delete(session);
}
}
protected void onChange(Session session) {
sessionDAO.update(session);
}
protected Session retrieveSession(SessionKey sessionKey) throws UnknownSessionException {
Serializable sessionId = getSessionId(sessionKey);
if (sessionId == null) {
log.debug("Unable to resolve session ID from SessionKey [{}]. Returning null to indicate a " +
"session could not be found.", sessionKey);
return null;
}
Session s = retrieveSessionFromDataSource(sessionId);
if (s == null) {
//session ID was provided, meaning one is expected to be found, but we couldn't find one:
String msg = "Could not find session with ID [" + sessionId + "]";
throw new UnknownSessionException(msg);
}
return s;
}
protected Serializable getSessionId(SessionKey sessionKey) {
return sessionKey.getSessionId();
}
protected Session retrieveSessionFromDataSource(Serializable sessionId) throws UnknownSessionException {
return sessionDAO.readSession(sessionId);
}
protected void delete(Session session) {
sessionDAO.delete(session);
}
protected Collection<Session> getActiveSessions() {
Collection<Session> active = sessionDAO.getActiveSessions();
return active != null ? active : Collections.<Session>emptySet();
}
}