1 /* 2 * Licensed to the Apache Software Foundation (ASF) under one 3 * or more contributor license agreements. See the NOTICE file 4 * distributed with this work for additional information 5 * regarding copyright ownership. The ASF licenses this file 6 * to you under the Apache License, Version 2.0 (the 7 * "License"); you may not use this file except in compliance 8 * with the License. You may obtain a copy of the License at 9 * 10 * http://www.apache.org/licenses/LICENSE-2.0 11 * 12 * Unless required by applicable law or agreed to in writing, 13 * software distributed under the License is distributed on an 14 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 * KIND, either express or implied. See the License for the 16 * specific language governing permissions and limitations 17 * under the License. 18 */ 19 package org.apache.shiro.mgt; 20 21 import org.apache.shiro.subject.Subject; 22 23 /** 24 * A Default {@code SessionStorageEvaluator} that provides reasonable control over if and how Sessions may be used for 25 * storing Subject state. See the {@link #isSessionStorageEnabled(org.apache.shiro.subject.Subject)} 26 * method for exact behavior. 27 * 28 * @since 1.2 29 */ 30 public class DefaultSessionStorageEvaluator implements SessionStorageEvaluator { 31 32 /** 33 * Global policy determining if Subject sessions may be used to persist Subject state if the Subject's Session 34 * does not yet exist. 35 */ 36 private boolean sessionStorageEnabled = true; 37 38 /** 39 * This implementation functions as follows: 40 * <ul> 41 * <li>If the specified Subject already has an existing {@code Session} (typically because an application developer 42 * has called {@code subject.getSession()} already), Shiro will use that existing session to store subject state.</li> 43 * <li>If a Subject does not yet have a Session, this implementation checks the 44 * {@link #isSessionStorageEnabled() sessionStorageEnabled} property: 45 * <ul> 46 * <li>If {@code sessionStorageEnabled} is true (the default setting), a new session may be created to persist 47 * Subject state if necessary.</li> 48 * <li>If {@code sessionStorageEnabled} is {@code false}, a new session will <em>not</em> be created to persist 49 * session state.</li> 50 * </ul></li> 51 * </ul> 52 * Most applications use Sessions and are OK with the default {@code true} setting for {@code sessionStorageEnabled}. 53 * <p/> 54 * However, if your application is a purely 100% stateless application that never uses sessions, 55 * you will want to set {@code sessionStorageEnabled} to {@code false}. Realize that a {@code false} value will 56 * ensure that any subject login only retains the authenticated identity for the duration of a request. Any other 57 * requests, invocations or messages will not be authenticated. 58 * 59 * @param subject the {@code Subject} for which session state persistence may be enabled 60 * @return the value of {@link #isSessionStorageEnabled()} and ignores the {@code Subject} argument. 61 */ 62 public boolean isSessionStorageEnabled(Subject subject) { 63 return (subject != null && subject.getSession(false) != null) || isSessionStorageEnabled(); 64 } 65 66 /** 67 * Returns {@code true} if any Subject's {@code Session} may be used to persist that {@code Subject}'s state, 68 * {@code false} otherwise. The default value is {@code true}. 69 * <p/> 70 * <b>N.B.</b> This is a global configuration setting; setting this value to {@code false} will disable sessions 71 * to persist Subject state for all Subjects that do not already have a Session. It should typically only be set 72 * to {@code false} for 100% stateless applications (e.g. when sessions aren't used or when remote clients 73 * authenticate on every request). 74 * 75 * @return {@code true} if any Subject's {@code Session} may be used to persist that {@code Subject}'s state, 76 * {@code false} otherwise. 77 */ 78 public boolean isSessionStorageEnabled() { 79 return sessionStorageEnabled; 80 } 81 82 /** 83 * Sets if any Subject's {@code Session} may be used to persist that {@code Subject}'s state. The 84 * default value is {@code true}. 85 * <p/> 86 * <b>N.B.</b> This is a global configuration setting; setting this value to {@code false} will disable sessions 87 * to persist Subject state for all Subjects that do not already have a Session. It should typically only be set 88 * to {@code false} for 100% stateless applications (e.g. when sessions aren't used or when remote clients 89 * authenticate on every request). 90 * 91 * @param sessionStorageEnabled if any Subject's {@code Session} may be used to persist that {@code Subject}'s state. 92 */ 93 public void setSessionStorageEnabled(boolean sessionStorageEnabled) { 94 this.sessionStorageEnabled = sessionStorageEnabled; 95 } 96 }