1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.shiro.spring.remoting;
20
21 import org.aopalliance.intercept.MethodInvocation;
22 import org.apache.shiro.SecurityUtils;
23 import org.apache.shiro.session.Session;
24 import org.apache.shiro.session.mgt.NativeSessionManager;
25 import org.apache.shiro.session.mgt.SessionKey;
26 import org.apache.shiro.session.mgt.SessionManager;
27 import org.apache.shiro.subject.Subject;
28 import org.slf4j.Logger;
29 import org.slf4j.LoggerFactory;
30 import org.springframework.remoting.support.DefaultRemoteInvocationFactory;
31 import org.springframework.remoting.support.RemoteInvocation;
32 import org.springframework.remoting.support.RemoteInvocationFactory;
33
34 import java.io.Serializable;
35
36
37
38
39
40
41
42
43
44
45
46 public class SecureRemoteInvocationFactory extends DefaultRemoteInvocationFactory {
47
48 private static final Logger log = LoggerFactory.getLogger(SecureRemoteInvocationFactory.class);
49
50 public static final String SESSION_ID_KEY = SecureRemoteInvocationFactory.class.getName() + ".SESSION_ID_KEY";
51 public static final String HOST_KEY = SecureRemoteInvocationFactory.class.getName() + ".HOST_KEY";
52
53 private static final String SESSION_ID_SYSTEM_PROPERTY_NAME = "shiro.session.id";
54
55 private String sessionId;
56
57 public SecureRemoteInvocationFactory() {
58 }
59
60 public SecureRemoteInvocationFactory(String sessionId) {
61 this();
62 this.sessionId = sessionId;
63 }
64
65
66
67
68
69
70
71
72 public RemoteInvocation createRemoteInvocation(MethodInvocation mi) {
73
74 Serializable sessionId = null;
75 String host = null;
76 boolean sessionManagerMethodInvocation = false;
77
78
79
80 Class miDeclaringClass = mi.getMethod().getDeclaringClass();
81 if (SessionManager.class.equals(miDeclaringClass) || NativeSessionManager.class.equals(miDeclaringClass)) {
82 sessionManagerMethodInvocation = true;
83
84
85 if (!mi.getMethod().getName().equals("start")) {
86 SessionKey./../../../../org/apache/shiro/session/mgt/SessionKey.html#SessionKey">SessionKey key = (SessionKey) mi.getArguments()[0];
87 sessionId = key.getSessionId();
88 }
89 }
90
91
92 if (sessionId == null) sessionId = this.sessionId;
93
94
95 if (sessionId == null) {
96 try {
97
98 SecurityUtils.getSecurityManager();
99 if (!sessionManagerMethodInvocation) {
100 Subject subject = SecurityUtils.getSubject();
101 Session session = subject.getSession(false);
102 if (session != null) {
103 sessionId = session.getId();
104 host = session.getHost();
105 }
106 }
107 }
108 catch (Exception e) {
109 log.trace("No security manager set. Trying next to get session id from system property");
110 }
111 }
112
113
114 if (sessionId == null) {
115 if (log.isTraceEnabled()) {
116 log.trace("No Session found for the currently executing subject via subject.getSession(false). " +
117 "Attempting to revert back to the 'shiro.session.id' system property...");
118 }
119 sessionId = System.getProperty(SESSION_ID_SYSTEM_PROPERTY_NAME);
120 if (sessionId == null && log.isTraceEnabled()) {
121 log.trace("No 'shiro.session.id' system property found. Heuristics have been exhausted; " +
122 "RemoteInvocation will not contain a sessionId.");
123 }
124 }
125
126 RemoteInvocation ri = new RemoteInvocation(mi);
127 if (sessionId != null) {
128 ri.addAttribute(SESSION_ID_KEY, sessionId);
129 }
130 if (host != null) {
131 ri.addAttribute(HOST_KEY, host);
132 }
133
134 return ri;
135 }
136 }