Examples of org.apache.shiro.mgt.DefaultSubjectDAO

org.apache.shiro.mgt.DefaultSubjectDAO
Default {@code SubjectDAO} implementation that stores Subject state in the Subject's Session by default (but thiscan be disabled - see below). The Subject instance can be re-created at a later time by first acquiring the associated Session (typically from a {@link org.apache.shiro.session.mgt.SessionManager SessionManager}) via a session ID or session key and then building a {@code Subject} instance from {@code Session} attributes.
Controlling how Sessions are used
Whether or not a {@code Subject}'s {@code Session} is used or not to persist its own state is controlled on aper-Subject basis as determined by the configured {@link #setSessionStorageEvaluator(SessionStorageEvaluator) sessionStorageEvaluator}. The default {@code Evaluator} is a {@link DefaultSessionStorageEvaluator}, which supports enabling or disabling session usage for Subject persistence at a global level for all subjects (and defaults to allowing sessions to be used).
Disabling Session Persistence Entirely
Because the default {@code SessionStorageEvaluator} instance is a {@link DefaultSessionStorageEvaluator}, you can disable Session usage for Subject state entirely by configuring that instance directly, e.g.:
```
 ((DefaultSessionStorageEvaluator)sessionDAO.getSessionStorageEvaluator()).setSessionStorageEnabled(false); 
```
or, for example, in {@code shiro.ini}:
```
 securityManager.subjectDAO.sessionStorageEvaluator.sessionStorageEnabled = false 
```
but note: ONLY do this your application is 100% stateless and you DO NOT need subjects to be remembered across remote invocations, or in a web environment across HTTP requests.
Supporting Both Stateful and Stateless Subject paradigms
Perhaps your application needs to support a hybrid approach of both stateful and stateless Subjects:
- Stateful: Stateful subjects might represent web end-users that need their identity and authentication state to be remembered from page to page.
- Stateless: Stateless subjects might represent API clients (e.g. REST clients) that authenticate on every request, and therefore don't need authentication state to be stored across requests in a session.
To support the hybrid per-Subject approach, you will need to create your own implementation of the {@link SessionStorageEvaluator} interface and configure it via the{@link #setSessionStorageEvaluator(SessionStorageEvaluator)} method, or, with {@code shiro.ini}:
```
 myEvaluator = com.my.CustomSessionStorageEvaluator securityManager.subjectDAO.sessionStorageEvaluator = $myEvaluator 
```
Unless overridden, the default evaluator is a {@link DefaultSessionStorageEvaluator}, which enables session usage for Subject state by default. @see #isSessionStorageEnabled(org.apache.shiro.subject.Subject) @see SessionStorageEvaluator @see DefaultSessionStorageEvaluator @since 1.2

                        Lists.newArrayList(serverRestInterfaceRealm)
                );
        // disable storing sessions (TODO we might want to write a session store bridge to play's session cookie)
        final DefaultSessionStorageEvaluator sessionStorageEvaluator = new DefaultSessionStorageEvaluator();
        sessionStorageEvaluator.setSessionStorageEnabled(false);
        final DefaultSubjectDAO subjectDAO = new DefaultSubjectDAO();
        subjectDAO.setSessionStorageEvaluator(sessionStorageEvaluator);
        securityManager.setSubjectDAO(subjectDAO);


        final Authenticator authenticator = securityManager.getAuthenticator();
        if (authenticator instanceof ModularRealmAuthenticator) {
            ModularRealmAuthenticator a = (ModularRealmAuthenticator) authenticator;

View Full Code Here

        if (authenticator instanceof ModularRealmAuthenticator) {
            ((ModularRealmAuthenticator) authenticator).setAuthenticationStrategy(new FirstSuccessfulStrategy());
        }
        sm.setAuthorizer(new ModularRealmAuthorizer(Lists.<Realm>newArrayList(mongoDbAuthorizationRealm, inMemoryRealm)));


        final DefaultSubjectDAO subjectDAO = new DefaultSubjectDAO();
        final DefaultSessionStorageEvaluator sessionStorageEvaluator = new DefaultSessionStorageEvaluator() {
            @Override
            public boolean isSessionStorageEnabled(Subject subject) {
                // save to session if we already have a session. do not create on just for saving the subject
                return (subject.getSession(false) != null);
            }
        };
        sessionStorageEvaluator.setSessionStorageEnabled(false);
        subjectDAO.setSessionStorageEvaluator(sessionStorageEvaluator);
        sm.setSubjectDAO(subjectDAO);


        final DefaultSessionManager defaultSessionManager = (DefaultSessionManager) sm.getSessionManager();
        defaultSessionManager.setSessionDAO(mongoDbSessionDAO);
        defaultSessionManager.setDeleteInvalidSessions(true);

View Full Code Here


        //disable sessions entirely:
        setSessionManager(new DisabledSessionManager());


        //also prevent the SecurityManager impl from using the Session as a storage medium (i.e. after authc):
        DefaultSubjectDAO subjectDao = (DefaultSubjectDAO)getSubjectDAO();
        DefaultSessionStorageEvaluator sessionStorageEvaluator =
                (DefaultSessionStorageEvaluator)subjectDao.getSessionStorageEvaluator();
        sessionStorageEvaluator.setSessionStorageEnabled(false);
    }

View Full Code Here

TOP

Related Classes of org.apache.shiro.mgt.DefaultSubjectDAO

lib.Global

org.apache.activemq.shiro.mgt.DefaultActiveMqSecurityManager

org.apache.shiro.session.Session

org.apache.shiro.subject.PrincipalCollection

org.graylog2.bindings.providers.DefaultSecurityManagerProvider

java.lang.reflect.Field

All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.

Examples of org.apache.shiro.mgt.DefaultSubjectDAO

Controlling how Sessions are used

Disabling Session Persistence Entirely

Supporting Both Stateful and Stateless Subject paradigms

Related Classes of org.apache.shiro.mgt.DefaultSubjectDAO