View Javadoc
1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied.  See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.shiro.mgt;
20  
21  import org.apache.shiro.subject.Subject;
22  
23  /**
24   * A Default {@code SessionStorageEvaluator} that provides reasonable control over if and how Sessions may be used for
25   * storing Subject state.  See the {@link #isSessionStorageEnabled(org.apache.shiro.subject.Subject)}
26   * method for exact behavior.
27   *
28   * @since 1.2
29   */
30  public class DefaultSessionStorageEvaluator implements SessionStorageEvaluator {
31  
32      /**
33       * Global policy determining if Subject sessions may be used to persist Subject state if the Subject's Session
34       * does not yet exist.
35       */
36      private boolean sessionStorageEnabled = true;
37  
38      /**
39       * This implementation functions as follows:
40       * <ul>
41       * <li>If the specified Subject already has an existing {@code Session} (typically because an application developer
42       * has called {@code subject.getSession()} already), Shiro will use that existing session to store subject state.</li>
43       * <li>If a Subject does not yet have a Session, this implementation checks the
44       * {@link #isSessionStorageEnabled() sessionStorageEnabled} property:
45       * <ul>
46       * <li>If {@code sessionStorageEnabled} is true (the default setting), a new session may be created to persist
47       * Subject state if necessary.</li>
48       * <li>If {@code sessionStorageEnabled} is {@code false}, a new session will <em>not</em> be created to persist
49       * session state.</li>
50       * </ul></li>
51       * </ul>
52       * Most applications use Sessions and are OK with the default {@code true} setting for {@code sessionStorageEnabled}.
53       * <p/>
54       * However, if your application is a purely 100% stateless application that never uses sessions,
55       * you will want to set {@code sessionStorageEnabled} to {@code false}.  Realize that a {@code false} value will
56       * ensure that any subject login only retains the authenticated identity for the duration of a request.  Any other
57       * requests, invocations or messages will not be authenticated.
58       *
59       * @param subject the {@code Subject} for which session state persistence may be enabled
60       * @return the value of {@link #isSessionStorageEnabled()} and ignores the {@code Subject} argument.
61       */
62      public boolean isSessionStorageEnabled(Subject subject) {
63          return (subject != null && subject.getSession(false) != null) || isSessionStorageEnabled();
64      }
65  
66      /**
67       * Returns {@code true} if any Subject's {@code Session} may be used to persist that {@code Subject}'s state,
68       * {@code false} otherwise.  The default value is {@code true}.
69       * <p/>
70       * <b>N.B.</b> This is a global configuration setting; setting this value to {@code false} will disable sessions
71       * to persist Subject state for all Subjects that do not already have a Session.  It should typically only be set
72       * to {@code false} for 100% stateless applications (e.g. when sessions aren't used or when remote clients
73       * authenticate on every request).
74       *
75       * @return {@code true} if any Subject's {@code Session} may be used to persist that {@code Subject}'s state,
76       *         {@code false} otherwise.
77       */
78      public boolean isSessionStorageEnabled() {
79          return sessionStorageEnabled;
80      }
81  
82      /**
83       * Sets if any Subject's {@code Session} may be used to persist that {@code Subject}'s state.  The
84       * default value is {@code true}.
85       * <p/>
86       * <b>N.B.</b> This is a global configuration setting; setting this value to {@code false} will disable sessions
87       * to persist Subject state for all Subjects that do not already have a Session.  It should typically only be set
88       * to {@code false} for 100% stateless applications (e.g. when sessions aren't used or when remote clients
89       * authenticate on every request).
90       *
91       * @param sessionStorageEnabled if any Subject's {@code Session} may be used to persist that {@code Subject}'s state.
92       */
93      public void setSessionStorageEnabled(boolean sessionStorageEnabled) {
94          this.sessionStorageEnabled = sessionStorageEnabled;
95      }
96  }