Coverage Report

Coverage Report - org.apache.shiro.spring.remoting.SecureRemoteInvocationFactory

Classes in this File

Line Coverage

Branch Coverage

Complexity

SecureRemoteInvocationFactory

68%

28/41

57%

15/26

5.667

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */
 package org.apache.shiro.spring.remoting;
 
 import org.aopalliance.intercept.MethodInvocation;
 import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.session.Session;
 import org.apache.shiro.session.mgt.NativeSessionManager;
 import org.apache.shiro.session.mgt.SessionKey;
 import org.apache.shiro.session.mgt.SessionManager;
 import org.apache.shiro.subject.Subject;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.remoting.support.DefaultRemoteInvocationFactory;
 import org.springframework.remoting.support.RemoteInvocation;
 import org.springframework.remoting.support.RemoteInvocationFactory;
 
 import java.io.Serializable;
 
 /**
  * A {@link RemoteInvocationFactory} that passes the session ID to the server via a
  * {@link RemoteInvocation} {@link RemoteInvocation#getAttribute(String) attribute}.
  * This factory is the client-side part of
  * the Shiro Spring remoting invocation.  A {@link SecureRemoteInvocationExecutor} should
  * be used to export the server-side remote services to ensure that the appropriate
  * Subject and Session are bound to the remote thread during execution.
  *
  * @since 0.1
  */
 public class SecureRemoteInvocationFactory extends DefaultRemoteInvocationFactory {
 
     private static final Logger log = LoggerFactory.getLogger(SecureRemoteInvocationFactory.class);
 
     public static final String SESSION_ID_KEY = SecureRemoteInvocationFactory.class.getName() + ".SESSION_ID_KEY";
     public static final String HOST_KEY = SecureRemoteInvocationFactory.class.getName() + ".HOST_KEY";
 
     private static final String SESSION_ID_SYSTEM_PROPERTY_NAME = "shiro.session.id";
 
     private String sessionId;
 
     public SecureRemoteInvocationFactory() {
     }
 
     public SecureRemoteInvocationFactory(String sessionId) {
         this();
         this.sessionId = sessionId;
     }
 
     /**
      * Creates a {@link RemoteInvocation} with the current session ID as an
      * {@link RemoteInvocation#getAttribute(String) attribute}.
      *
      * @param mi the method invocation that the remote invocation should be based on.
      * @return a remote invocation object containing the current session ID as an attribute.
      */
     public RemoteInvocation createRemoteInvocation(MethodInvocation mi) {
 
         Serializable sessionId = null;
         String host = null;
         boolean sessionManagerMethodInvocation = false;
 
         //If the calling MI is for a remoting SessionManager delegate, we need to acquire the session ID from the method
         //argument and NOT interact with SecurityUtils/subject.getSession to avoid a stack overflow
         Class miDeclaringClass = mi.getMethod().getDeclaringClass();
         if (SessionManager.class.equals(miDeclaringClass) || NativeSessionManager.class.equals(miDeclaringClass)) {
             sessionManagerMethodInvocation = true;
             //for SessionManager calls, all method calls except the 'start' methods require a SessionKey
             // as the first argument, so just get it from there:
             if (!mi.getMethod().getName().equals("start")) {
                 SessionKey key = (SessionKey) mi.getArguments()[0];
                 sessionId = key.getSessionId();
             }
         }
 
         //tried the delegate. Use the injected session id if given
         if (sessionId == null) sessionId = this.sessionId;
 
         // If sessionId is null, only then try the Subject:
         if (sessionId == null) {
             try {
                 // HACK Check if can get the securityManager - this'll cause an exception if it's not set 
                 SecurityUtils.getSecurityManager();
                 if (!sessionManagerMethodInvocation) {
                     Subject subject = SecurityUtils.getSubject();
                     Session session = subject.getSession(false);
                     if (session != null) {
                         sessionId = session.getId();
                         host = session.getHost();
                     }
                 }
             }
             catch (Exception e) {
                 log.trace("No security manager set. Trying next to get session id from system property");
             }
         }
         //No call to the sessionManager, and the Subject doesn't have a session.  Try a system property
         //as a last result:
         if (sessionId == null) {
             if (log.isTraceEnabled()) {
                 log.trace("No Session found for the currently executing subject via subject.getSession(false).  " +
                         "Attempting to revert back to the 'shiro.session.id' system property...");
             }
             sessionId = System.getProperty(SESSION_ID_SYSTEM_PROPERTY_NAME);
             if (sessionId == null && log.isTraceEnabled()) {
                 log.trace("No 'shiro.session.id' system property found.  Heuristics have been exhausted; " +
                         "RemoteInvocation will not contain a sessionId.");
             }
         }
 
         RemoteInvocation ri = new RemoteInvocation(mi);
         if (sessionId != null) {
             ri.addAttribute(SESSION_ID_KEY, sessionId);
         }
         if (host != null) {
             ri.addAttribute(HOST_KEY, host);
         }
 
         return ri;
     }
 }

1		/*
2		* Licensed to the Apache Software Foundation (ASF) under one
3		* or more contributor license agreements. See the NOTICE file
4		* distributed with this work for additional information
5		* regarding copyright ownership. The ASF licenses this file
6		* to you under the Apache License, Version 2.0 (the
7		* "License"); you may not use this file except in compliance
8		* with the License. You may obtain a copy of the License at
9		*
10		* http://www.apache.org/licenses/LICENSE-2.0
11		*
12		* Unless required by applicable law or agreed to in writing,
13		* software distributed under the License is distributed on an
14		* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15		* KIND, either express or implied. See the License for the
16		* specific language governing permissions and limitations
17		* under the License.
18		*/
19		package org.apache.shiro.spring.remoting;
20
21		import org.aopalliance.intercept.MethodInvocation;
22		import org.apache.shiro.SecurityUtils;
23		import org.apache.shiro.session.Session;
24		import org.apache.shiro.session.mgt.NativeSessionManager;
25		import org.apache.shiro.session.mgt.SessionKey;
26		import org.apache.shiro.session.mgt.SessionManager;
27		import org.apache.shiro.subject.Subject;
28		import org.slf4j.Logger;
29		import org.slf4j.LoggerFactory;
30		import org.springframework.remoting.support.DefaultRemoteInvocationFactory;
31		import org.springframework.remoting.support.RemoteInvocation;
32		import org.springframework.remoting.support.RemoteInvocationFactory;
33
34		import java.io.Serializable;
35
36		/**
37		* A {@link RemoteInvocationFactory} that passes the session ID to the server via a
38		* {@link RemoteInvocation} {@link RemoteInvocation#getAttribute(String) attribute}.
39		* This factory is the client-side part of
40		* the Shiro Spring remoting invocation. A {@link SecureRemoteInvocationExecutor} should
41		* be used to export the server-side remote services to ensure that the appropriate
42		* Subject and Session are bound to the remote thread during execution.
43		*
44		* @since 0.1
45		*/
46		public class SecureRemoteInvocationFactory extends DefaultRemoteInvocationFactory {
47
48	1	private static final Logger log = LoggerFactory.getLogger(SecureRemoteInvocationFactory.class);
49
50	1	public static final String SESSION_ID_KEY = SecureRemoteInvocationFactory.class.getName() + ".SESSION_ID_KEY";
51	1	public static final String HOST_KEY = SecureRemoteInvocationFactory.class.getName() + ".HOST_KEY";
52
53		private static final String SESSION_ID_SYSTEM_PROPERTY_NAME = "shiro.session.id";
54
55		private String sessionId;
56
57	2	public SecureRemoteInvocationFactory() {
58	2	}
59
60		public SecureRemoteInvocationFactory(String sessionId) {
61	0	this();
62	0	this.sessionId = sessionId;
63	0	}
64
65		/**
66		* Creates a {@link RemoteInvocation} with the current session ID as an
67		* {@link RemoteInvocation#getAttribute(String) attribute}.
68		*
69		* @param mi the method invocation that the remote invocation should be based on.
70		* @return a remote invocation object containing the current session ID as an attribute.
71		*/
72		public RemoteInvocation createRemoteInvocation(MethodInvocation mi) {
73
74	2	Serializable sessionId = null;
75	2	String host = null;
76	2	boolean sessionManagerMethodInvocation = false;
77
78		//If the calling MI is for a remoting SessionManager delegate, we need to acquire the session ID from the method
79		//argument and NOT interact with SecurityUtils/subject.getSession to avoid a stack overflow
80	2	Class miDeclaringClass = mi.getMethod().getDeclaringClass();
81	2	if (SessionManager.class.equals(miDeclaringClass) \|\| NativeSessionManager.class.equals(miDeclaringClass)) {
82	2	sessionManagerMethodInvocation = true;
83		//for SessionManager calls, all method calls except the 'start' methods require a SessionKey
84		// as the first argument, so just get it from there:
85	2	if (!mi.getMethod().getName().equals("start")) {
86	1	SessionKey key = (SessionKey) mi.getArguments()[0];
87	1	sessionId = key.getSessionId();
88		}
89		}
90
91		//tried the delegate. Use the injected session id if given
92	2	if (sessionId == null) sessionId = this.sessionId;
93
94		// If sessionId is null, only then try the Subject:
95	2	if (sessionId == null) {
96		try {
97		// HACK Check if can get the securityManager - this'll cause an exception if it's not set
98	1	SecurityUtils.getSecurityManager();
99	0	if (!sessionManagerMethodInvocation) {
100	0	Subject subject = SecurityUtils.getSubject();
101	0	Session session = subject.getSession(false);
102	0	if (session != null) {
103	0	sessionId = session.getId();
104	0	host = session.getHost();
105		}
106		}
107		}
108	1	catch (Exception e) {
109	1	log.trace("No security manager set. Trying next to get session id from system property");
110	0	}
111		}
112		//No call to the sessionManager, and the Subject doesn't have a session. Try a system property
113		//as a last result:
114	2	if (sessionId == null) {
115	1	if (log.isTraceEnabled()) {
116	0	log.trace("No Session found for the currently executing subject via subject.getSession(false). " +
117		"Attempting to revert back to the 'shiro.session.id' system property...");
118		}
119	1	sessionId = System.getProperty(SESSION_ID_SYSTEM_PROPERTY_NAME);
120	1	if (sessionId == null && log.isTraceEnabled()) {
121	0	log.trace("No 'shiro.session.id' system property found. Heuristics have been exhausted; " +
122		"RemoteInvocation will not contain a sessionId.");
123		}
124		}
125
126	2	RemoteInvocation ri = new RemoteInvocation(mi);
127	2	if (sessionId != null) {
128	1	ri.addAttribute(SESSION_ID_KEY, sessionId);
129		}
130	2	if (host != null) {
131	0	ri.addAttribute(HOST_KEY, host);
132		}
133
134	2	return ri;
135		}
136		}