1 /*
2 * Licensed to the Apache Software Foundation (ASF) under one
3 * or more contributor license agreements. See the NOTICE file
4 * distributed with this work for additional information
5 * regarding copyright ownership. The ASF licenses this file
6 * to you under the Apache License, Version 2.0 (the
7 * "License"); you may not use this file except in compliance
8 * with the License. You may obtain a copy of the License at
9 *
10 * http://www.apache.org/licenses/LICENSE-2.0
11 *
12 * Unless required by applicable law or agreed to in writing,
13 * software distributed under the License is distributed on an
14 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15 * KIND, either express or implied. See the License for the
16 * specific language governing permissions and limitations
17 * under the License.
18 */
19 package org.apache.shiro.web.mgt;
20
21 import org.apache.shiro.mgt.DefaultSessionStorageEvaluator;
22 import org.apache.shiro.session.mgt.NativeSessionManager;
23 import org.apache.shiro.session.mgt.SessionManager;
24 import org.apache.shiro.subject.Subject;
25 import org.apache.shiro.web.subject.WebSubject;
26 import org.apache.shiro.web.util.WebUtils;
27
28 /**
29 * A web-specific {@code SessionStorageEvaluator} that performs the same logic as the parent class
30 * {@link DefaultSessionStorageEvaluator} but additionally checks for a request-specific flag that may enable or
31 * disable session access.
32 * <p/>
33 * This implementation usually works in conjunction with the
34 * {@link org.apache.shiro.web.filter.session.NoSessionCreationFilter}: If the {@code NoSessionCreationFilter}
35 * is configured in a filter chain, that filter will set a specific
36 * {@code ServletRequest} {@link javax.servlet.ServletRequest#setAttribute attribute} indicating that session creation
37 * should be disabled.
38 * <p/>
39 * This {@code DefaultWebSessionStorageEvaluator} will then inspect this attribute, and if it has been set, will return
40 * {@code false} from {@link #isSessionStorageEnabled(org.apache.shiro.subject.Subject)} method, thereby preventing
41 * Shiro from creating a session for the purpose of storing subject state.
42 * <p/>
43 * If the request attribute has
44 * not been set (i.e. the {@code NoSessionCreationFilter} is not configured or has been disabled), this class does
45 * nothing and delegates to the parent class for existing behavior.
46 *
47 * @since 1.2
48 */
49 public class DefaultWebSessionStorageEvaluator extends DefaultSessionStorageEvaluator {
50
51 //since 1.2.1
52 private SessionManager sessionManager;
53
54 /**
55 * Sets the session manager to use when checking to see if session storage is possible.
56 * @param sessionManager the session manager instance for checking.
57 * @since 1.2.1
58 */
59 //package protected on purpose to maintain point-version compatibility: (1.2.3 -> 1.2.1 should work always).
60 void setSessionManager(SessionManager sessionManager) {
61 this.sessionManager = sessionManager;
62 }
63
64 /**
65 * Returns {@code true} if session storage is generally available (as determined by the super class's global
66 * configuration property {@link #isSessionStorageEnabled()} and no request-specific override has turned off
67 * session storage, {@code false} otherwise.
68 * <p/>
69 * This means session storage is disabled if the {@link #isSessionStorageEnabled()} property is {@code false} or if
70 * a request attribute is discovered that turns off session storage for the current request.
71 *
72 * @param subject the {@code Subject} for which session state persistence may be enabled
73 * @return {@code true} if session storage is generally available (as determined by the super class's global
74 * configuration property {@link #isSessionStorageEnabled()} and no request-specific override has turned off
75 * session storage, {@code false} otherwise.
76 */
77 @SuppressWarnings({"SimplifiableIfStatement"})
78 @Override
79 public boolean isSessionStorageEnabled(Subject subject) {
80 if (subject.getSession(false) != null) {
81 //use what already exists
82 return true;
83 }
84
85 if (!isSessionStorageEnabled()) {
86 //honor global setting:
87 return false;
88 }
89
90 //SHIRO-350: non-web subject instances can't be saved to web-only session managers:
91 //since 1.2.1:
92 if (!(subject instanceof WebSubject) && (this.sessionManager != null && !(this.sessionManager instanceof NativeSessionManager))) {
93 return false;
94 }
95
96 return WebUtils._isSessionCreationEnabled(subject);
97 }
98
99
100 }