public interface SessionContext extends Map<String,Object>
SessionContext
is a 'bucket' of data presented to a SessionFactory
which interprets
this data to construct Session
instances. It is essentially a Map of data
with a few additional type-safe methods for easy retrieval of objects commonly used to construct Subject instances.
While this interface contains type-safe setters and getters for common data types, the map can contain anything
additional that might be needed by the SessionFactory
implementation to construct Session
instances.
USAGE: Most Shiro end-users will never use a SubjectContext
instance directly and instead will call
the Subject.
getSession()
or
Subject.
getSession(boolean)
methods (which
will usually use SessionContext
instances to start a session with the application's
SessionManager
.SessionManager.start(SessionContext)
,
SessionFactory
Modifier and Type | Method and Description |
---|---|
String |
getHost()
Returns the originating host name or IP address (as a String) from where the
Subject is initiating the
Session . |
Serializable |
getSessionId() |
void |
setHost(String host)
Sets the originating host name or IP address (as a String) from where the
Subject is initiating the
Session . |
void |
setSessionId(Serializable sessionId) |
void setHost(String host)
Subject
is initiating the
Session
.
In web-based systems, this host can be inferred from the incoming request, e.g.
javax.servlet.ServletRequest#getRemoteAddr()
or javax.servlet.ServletRequest#getRemoteHost()
methods, or in socket-based systems, it can be obtained via inspecting the socket
initiator's host IP.
Most secure environments should specify a valid, non-null
host
, since knowing the
host
allows for more flexibility when securing a system: by requiring an host, access control policies
can also ensure access is restricted to specific client locations in addition to Subject
principals, if so desired.
Caveat - if clients to your system are on a
public network (as would be the case for a public web site), odds are high the clients can be
behind a NAT (Network Address Translation) router or HTTP proxy server. If so, all clients
accessing your system behind that router or proxy will have the same originating host.
If your system is configured to allow only one session per host, then the next request from a
different NAT or proxy client will fail and access will be denied for that client. Just be
aware that host-based security policies are best utilized in LAN or private WAN environments
when you can be ensure clients will not share IPs or be behind such NAT routers or
proxy servers.host
- the originating host name or IP address (as a String) from where the Subject
is
initiating the Session
.String getHost()
Subject
is initiating the
Session
.
See the setHost(String)
JavaDoc for more about security policies based on the
Session
host.Subject
is initiating the
Session
.setHost(String)
Serializable getSessionId()
void setSessionId(Serializable sessionId)
Copyright © 2004-2013 The Apache Software Foundation. All Rights Reserved.