org.apache.shiro.web.mgt

Class DefaultWebSecurityManager

java.lang.Object

org.apache.shiro.mgt.CachingSecurityManager

org.apache.shiro.mgt.RealmSecurityManager

org.apache.shiro.mgt.AuthenticatingSecurityManager

org.apache.shiro.mgt.AuthorizingSecurityManager

org.apache.shiro.mgt.SessionsSecurityManager

org.apache.shiro.mgt.DefaultSecurityManager

org.apache.shiro.web.mgt.DefaultWebSecurityManager

All Implemented Interfaces:

Authenticator, Authorizer, CacheManagerAware, SecurityManager, SessionManager, Destroyable, WebSecurityManager

public class DefaultWebSecurityManager
extends DefaultSecurityManager
implements WebSecurityManager

Default WebSecurityManager implementation used in web-based applications or any application that requires HTTP connectivity (SOAP, http remoting, etc).

Since:

0.2

Field Summary

Fields

Modifier and Type	Field and Description
static String	HTTP_SESSION_MODE Deprecated.
static String	NATIVE_SESSION_MODE Deprecated.

Fields inherited from class org.apache.shiro.mgt.DefaultSecurityManager

rememberMeManager, subjectDAO, subjectFactory

Constructor Summary

Constructors

Constructor and Description
DefaultWebSecurityManager()
DefaultWebSecurityManager(Collection<Realm> realms)
DefaultWebSecurityManager(Realm singleRealm)

Method Summary

Methods

Modifier and Type	Method and Description
protected void	afterSessionManagerSet()
protected void	beforeLogout(Subject subject)
protected SubjectContext	copy(SubjectContext subjectContext)
protected SessionContext	createSessionContext(SubjectContext subjectContext)
protected SessionManager	createSessionManager(String sessionMode)
protected SubjectContext	createSubjectContext()
protected SessionKey	getSessionKey(SubjectContext context)
String	getSessionMode() Deprecated.
boolean	isHttpSessionMode() Security information needs to be retained from request to request, so Shiro makes use of a session for this.
protected void	removeRequestIdentity(Subject subject)
void	setSessionManager(SessionManager sessionManager) Sets the underlying delegate SessionManager instance that will be used to support this implementation's SessionManager method calls.
void	setSessionMode(String sessionMode) Deprecated. since 1.2
void	setSubjectDAO(SubjectDAO subjectDAO) Sets the SubjectDAO responsible for persisting Subject state, typically used after login or when an Subject identity is discovered (eg after RememberMe services).

Methods inherited from class org.apache.shiro.mgt.DefaultSecurityManager

bind, createSubject, createSubject, delete, doCreateSubject, ensureSecurityManager, getRememberedIdentity, getRememberMeManager, getSubjectDAO, getSubjectFactory, login, logout, onFailedLogin, onSuccessfulLogin, rememberMeFailedLogin, rememberMeLogout, rememberMeSuccessfulLogin, resolveContextSession, resolvePrincipals, resolveSession, save, setRememberMeManager, setSubjectFactory, stopSession, unbind

Methods inherited from class org.apache.shiro.mgt.SessionsSecurityManager

afterCacheManagerSet, applyCacheManagerToSessionManager, destroy, getSession, getSessionManager, start

Methods inherited from class org.apache.shiro.mgt.AuthorizingSecurityManager

afterRealmsSet, checkPermission, checkPermission, checkPermissions, checkPermissions, checkRole, checkRoles, checkRoles, getAuthorizer, hasAllRoles, hasRole, hasRoles, isPermitted, isPermitted, isPermitted, isPermitted, isPermittedAll, isPermittedAll, setAuthorizer

Methods inherited from class org.apache.shiro.mgt.AuthenticatingSecurityManager

authenticate, getAuthenticator, setAuthenticator

Methods inherited from class org.apache.shiro.mgt.RealmSecurityManager

applyCacheManagerToRealms, getRealms, setRealm, setRealms

Methods inherited from class org.apache.shiro.mgt.CachingSecurityManager

getCacheManager, setCacheManager

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.shiro.mgt.SecurityManager

createSubject, login, logout

Methods inherited from interface org.apache.shiro.authc.Authenticator

authenticate

Methods inherited from interface org.apache.shiro.authz.Authorizer

checkPermission, checkPermission, checkPermissions, checkPermissions, checkRole, checkRoles, checkRoles, hasAllRoles, hasRole, hasRoles, isPermitted, isPermitted, isPermitted, isPermitted, isPermittedAll, isPermittedAll

Methods inherited from interface org.apache.shiro.session.mgt.SessionManager

getSession, start

Field Detail

HTTP_SESSION_MODE

@Deprecated
public static final String HTTP_SESSION_MODE

Deprecated.

See Also:

Constant Field Values

NATIVE_SESSION_MODE

@Deprecated
public static final String NATIVE_SESSION_MODE

Deprecated.

See Also:

Constant Field Values

Constructor Detail

DefaultWebSecurityManager

public DefaultWebSecurityManager()

DefaultWebSecurityManager

public DefaultWebSecurityManager(Realm singleRealm)

DefaultWebSecurityManager

public DefaultWebSecurityManager(Collection<Realm> realms)

Method Detail

createSubjectContext

protected SubjectContext createSubjectContext()

Overrides:

createSubjectContext in class DefaultSecurityManager

setSubjectDAO

public void setSubjectDAO(SubjectDAO subjectDAO)

Description copied from class: DefaultSecurityManager

Sets the SubjectDAO responsible for persisting Subject state, typically used after login or when an Subject identity is discovered (eg after RememberMe services). Unless configured otherwise, the default implementation is a DefaultSubjectDAO.

Overrides:

setSubjectDAO in class DefaultSecurityManager

Parameters:

subjectDAO - the SubjectDAO responsible for persisting Subject state, typically used after login or when an Subject identity is discovered (eg after RememberMe services).

See Also:

DefaultSubjectDAO

afterSessionManagerSet

protected void afterSessionManagerSet()

Overrides:

afterSessionManagerSet in class SessionsSecurityManager

copy

protected SubjectContext copy(SubjectContext subjectContext)

Overrides:

copy in class DefaultSecurityManager

getSessionMode

@Deprecated
public String getSessionMode()

Deprecated.

setSessionMode

@Deprecated
public void setSessionMode(String sessionMode)

Deprecated. since 1.2

Parameters:

sessionMode -

setSessionManager

public void setSessionManager(SessionManager sessionManager)

Description copied from class: SessionsSecurityManager

Sets the underlying delegate SessionManager instance that will be used to support this implementation's SessionManager method calls.

This SecurityManager implementation does not provide logic to support the inherited SessionManager interface, but instead delegates these calls to an internal SessionManager instance.

If a SessionManager instance is not set, a default one will be automatically created and initialized appropriately for the the existing runtime environment.

Overrides:

setSessionManager in class SessionsSecurityManager

Parameters:

sessionManager - delegate instance to use to support this manager's SessionManager method calls.

isHttpSessionMode

public boolean isHttpSessionMode()

Description copied from interface: WebSecurityManager

Security information needs to be retained from request to request, so Shiro makes use of a session for this. Typically, a security manager will use the servlet container's HTTP session but custom session implementations, for example based on EhCache, may also be used. This method indicates whether the security manager is using the HTTP session or not.

Specified by:

isHttpSessionMode in interface WebSecurityManager

Returns:

true if the security manager is using the HTTP session; otherwise, false.

Since:

1.0

createSessionManager

protected SessionManager createSessionManager(String sessionMode)

createSessionContext

protected SessionContext createSessionContext(SubjectContext subjectContext)

Overrides:

createSessionContext in class DefaultSecurityManager

getSessionKey

protected SessionKey getSessionKey(SubjectContext context)

Overrides:

getSessionKey in class DefaultSecurityManager

beforeLogout

protected void beforeLogout(Subject subject)

Overrides:

beforeLogout in class DefaultSecurityManager

removeRequestIdentity

protected void removeRequestIdentity(Subject subject)