1 /*
2 * Licensed to the Apache Software Foundation (ASF) under one
3 * or more contributor license agreements. See the NOTICE file
4 * distributed with this work for additional information
5 * regarding copyright ownership. The ASF licenses this file
6 * to you under the Apache License, Version 2.0 (the
7 * "License"); you may not use this file except in compliance
8 * with the License. You may obtain a copy of the License at
9 *
10 * http://www.apache.org/licenses/LICENSE-2.0
11 *
12 * Unless required by applicable law or agreed to in writing,
13 * software distributed under the License is distributed on an
14 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15 * KIND, either express or implied. See the License for the
16 * specific language governing permissions and limitations
17 * under the License.
18 */
19 package org.apache.shiro.mgt;
20
21 import org.apache.shiro.session.Session;
22 import org.apache.shiro.subject.PrincipalCollection;
23 import org.apache.shiro.subject.Subject;
24 import org.apache.shiro.subject.support.DefaultSubjectContext;
25 import org.apache.shiro.subject.support.DelegatingSubject;
26 import org.slf4j.Logger;
27 import org.slf4j.LoggerFactory;
28
29 import java.lang.reflect.Field;
30
31 /**
32 * Default {@code SubjectDAO} implementation that stores Subject state in the Subject's Session by default (but this
33 * can be disabled - see below). The Subject instance
34 * can be re-created at a later time by first acquiring the associated Session (typically from a
35 * {@link org.apache.shiro.session.mgt.SessionManager SessionManager}) via a session ID or session key and then
36 * building a {@code Subject} instance from {@code Session} attributes.
37 * <h2>Controlling how Sessions are used</h2>
38 * Whether or not a {@code Subject}'s {@code Session} is used or not to persist its own state is controlled on a
39 * <em>per-Subject</em> basis as determined by the configured
40 * {@link #setSessionStorageEvaluator(SessionStorageEvaluator) sessionStorageEvaluator}.
41 * The default {@code Evaluator} is a {@link DefaultSessionStorageEvaluator}, which supports enabling or disabling
42 * session usage for Subject persistence at a global level for all subjects (and defaults to allowing sessions to be
43 * used).
44 * <h3>Disabling Session Persistence Entirely</h3>
45 * Because the default {@code SessionStorageEvaluator} instance is a {@link DefaultSessionStorageEvaluator}, you
46 * can disable Session usage for Subject state entirely by configuring that instance directly, e.g.:
47 * <pre>
48 * ((DefaultSessionStorageEvaluator)sessionDAO.getSessionStorageEvaluator()).setSessionStorageEnabled(false);
49 * </pre>
50 * or, for example, in {@code shiro.ini}:
51 * <pre>
52 * securityManager.subjectDAO.sessionStorageEvaluator.sessionStorageEnabled = false
53 * </pre>
54 * but <b>note:</b> ONLY do this your
55 * application is 100% stateless and you <em>DO NOT</em> need subjects to be remembered across remote
56 * invocations, or in a web environment across HTTP requests.
57 * <h3>Supporting Both Stateful and Stateless Subject paradigms</h3>
58 * Perhaps your application needs to support a hybrid approach of both stateful and stateless Subjects:
59 * <ul>
60 * <li>Stateful: Stateful subjects might represent web end-users that need their identity and authentication
61 * state to be remembered from page to page.</li>
62 * <li>Stateless: Stateless subjects might represent API clients (e.g. REST clients) that authenticate on every
63 * request, and therefore don't need authentication state to be stored across requests in a session.</li>
64 * </ul>
65 * To support the hybrid <em>per-Subject</em> approach, you will need to create your own implementation of the
66 * {@link SessionStorageEvaluator} interface and configure it via the
67 * {@link #setSessionStorageEvaluator(SessionStorageEvaluator)} method, or, with {@code shiro.ini}:
68 * <pre>
69 * myEvaluator = com.my.CustomSessionStorageEvaluator
70 * securityManager.subjectDAO.sessionStorageEvaluator = $myEvaluator
71 * </pre>
72 * <p/>
73 * Unless overridden, the default evaluator is a {@link DefaultSessionStorageEvaluator}, which enables session usage for
74 * Subject state by default.
75 *
76 * @see #isSessionStorageEnabled(org.apache.shiro.subject.Subject)
77 * @see SessionStorageEvaluator
78 * @see DefaultSessionStorageEvaluator
79 * @since 1.2
80 */
81 public class DefaultSubjectDAO implements SubjectDAO {
82
83 private static final Logger log = LoggerFactory.getLogger(DefaultSubjectDAO.class);
84
85 /**
86 * Evaluator that determines if a Subject's session may be used to store the Subject's own state.
87 */
88 private SessionStorageEvaluator sessionStorageEvaluator;
89
90 public DefaultSubjectDAO() {
91 //default implementation allows enabling/disabling session usages at a global level for all subjects:
92 this.sessionStorageEvaluator = new DefaultSessionStorageEvaluator();
93 }
94
95 /**
96 * Determines if the subject's session will be used to persist subject state or not. This implementation
97 * merely delegates to the internal {@link SessionStorageEvaluator} (a
98 * {@code DefaultSessionStorageEvaluator} by default).
99 *
100 * @param subject the subject to inspect to determine if the subject's session will be used to persist subject
101 * state or not.
102 * @return {@code true} if the subject's session will be used to persist subject state, {@code false} otherwise.
103 * @see #setSessionStorageEvaluator(SessionStorageEvaluator)
104 * @see DefaultSessionStorageEvaluator
105 */
106 protected boolean isSessionStorageEnabled(Subject subject) {
107 return getSessionStorageEvaluator().isSessionStorageEnabled(subject);
108 }
109
110 /**
111 * Returns the {@code SessionStorageEvaluator} that will determine if a {@code Subject}'s state may be persisted in
112 * the Subject's session. The default instance is a {@link DefaultSessionStorageEvaluator}.
113 *
114 * @return the {@code SessionStorageEvaluator} that will determine if a {@code Subject}'s state may be persisted in
115 * the Subject's session.
116 * @see DefaultSessionStorageEvaluator
117 */
118 public SessionStorageEvaluator getSessionStorageEvaluator() {
119 return sessionStorageEvaluator;
120 }
121
122 /**
123 * Sets the {@code SessionStorageEvaluator} that will determine if a {@code Subject}'s state may be persisted in
124 * the Subject's session. The default instance is a {@link DefaultSessionStorageEvaluator}.
125 *
126 * @param sessionStorageEvaluator the {@code SessionStorageEvaluator} that will determine if a {@code Subject}'s
127 * state may be persisted in the Subject's session.
128 * @see DefaultSessionStorageEvaluator
129 */
130 public void setSessionStorageEvaluator(SessionStorageEvaluator sessionStorageEvaluator) {
131 this.sessionStorageEvaluator = sessionStorageEvaluator;
132 }
133
134 /**
135 * Saves the subject's state to the subject's {@link org.apache.shiro.subject.Subject#getSession() session} only
136 * if {@link #isSessionStorageEnabled(Subject) sessionStorageEnabled(subject)}. If session storage is not enabled
137 * for the specific {@code Subject}, this method does nothing.
138 * <p/>
139 * In either case, the argument {@code Subject} is returned directly (a new Subject instance is not created).
140 *
141 * @param subject the Subject instance for which its state will be created or updated.
142 * @return the same {@code Subject} passed in (a new Subject instance is not created).
143 */
144 public Subject save(Subject subject) {
145 if (isSessionStorageEnabled(subject)) {
146 saveToSession(subject);
147 } else {
148 log.trace("Session storage of subject state for Subject [{}] has been disabled: identity and " +
149 "authentication state are expected to be initialized on every request or invocation.", subject);
150 }
151
152 return subject;
153 }
154
155 /**
156 * Saves the subject's state (it's principals and authentication state) to its
157 * {@link org.apache.shiro.subject.Subject#getSession() session}. The session can be retrieved at a later time
158 * (typically from a {@link org.apache.shiro.session.mgt.SessionManager SessionManager} to be used to recreate
159 * the {@code Subject} instance.
160 *
161 * @param subject the subject for which state will be persisted to its session.
162 */
163 protected void saveToSession(Subject subject) {
164 //performs merge logic, only updating the Subject's session if it does not match the current state:
165 mergePrincipals(subject);
166 mergeAuthenticationState(subject);
167 }
168
169 private static boolean isEmpty(PrincipalCollection pc) {
170 return pc == null || pc.isEmpty();
171 }
172
173 /**
174 * Merges the Subject's current {@link org.apache.shiro.subject.Subject#getPrincipals()} with whatever may be in
175 * any available session. Only updates the Subject's session if the session does not match the current principals
176 * state.
177 *
178 * @param subject the Subject for which principals will potentially be merged into the Subject's session.
179 */
180 protected void mergePrincipals(Subject subject) {
181 //merge PrincipalCollection state:
182
183 PrincipalCollection currentPrincipals = null;
184
185 //SHIRO-380: added if/else block - need to retain original (source) principals
186 //This technique (reflection) is only temporary - a proper long term solution needs to be found,
187 //but this technique allowed an immediate fix that is API point-version forwards and backwards compatible
188 //
189 //A more comprehensive review / cleaning of runAs should be performed for Shiro 1.3 / 2.0 +
190 if (subject.isRunAs() && subject instanceof DelegatingSubject) {
191 try {
192 Field field = DelegatingSubject.class.getDeclaredField("principals");
193 field.setAccessible(true);
194 currentPrincipals = (PrincipalCollection)field.get(subject);
195 } catch (Exception e) {
196 throw new IllegalStateException("Unable to access DelegatingSubject principals property.", e);
197 }
198 }
199 if (currentPrincipals == null || currentPrincipals.isEmpty()) {
200 currentPrincipals = subject.getPrincipals();
201 }
202
203 Session session = subject.getSession(false);
204
205 if (session == null) {
206 if (!isEmpty(currentPrincipals)) {
207 session = subject.getSession();
208 session.setAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY, currentPrincipals);
209 }
210 // otherwise no session and no principals - nothing to save
211 } else {
212 PrincipalCollection existingPrincipals =
213 (PrincipalCollection) session.getAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY);
214
215 if (isEmpty(currentPrincipals)) {
216 if (!isEmpty(existingPrincipals)) {
217 session.removeAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY);
218 }
219 // otherwise both are null or empty - no need to update the session
220 } else {
221 if (!currentPrincipals.equals(existingPrincipals)) {
222 session.setAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY, currentPrincipals);
223 }
224 // otherwise they're the same - no need to update the session
225 }
226 }
227 }
228
229 /**
230 * Merges the Subject's current authentication state with whatever may be in
231 * any available session. Only updates the Subject's session if the session does not match the current
232 * authentication state.
233 *
234 * @param subject the Subject for which principals will potentially be merged into the Subject's session.
235 */
236 protected void mergeAuthenticationState(Subject subject) {
237
238 Session session = subject.getSession(false);
239
240 if (session == null) {
241 if (subject.isAuthenticated()) {
242 session = subject.getSession();
243 session.setAttribute(DefaultSubjectContext.AUTHENTICATED_SESSION_KEY, Boolean.TRUE);
244 }
245 //otherwise no session and not authenticated - nothing to save
246 } else {
247 Boolean existingAuthc = (Boolean) session.getAttribute(DefaultSubjectContext.AUTHENTICATED_SESSION_KEY);
248
249 if (subject.isAuthenticated()) {
250 if (existingAuthc == null || !existingAuthc) {
251 session.setAttribute(DefaultSubjectContext.AUTHENTICATED_SESSION_KEY, Boolean.TRUE);
252 }
253 //otherwise authc state matches - no need to update the session
254 } else {
255 if (existingAuthc != null) {
256 //existing doesn't match the current state - remove it:
257 session.removeAttribute(DefaultSubjectContext.AUTHENTICATED_SESSION_KEY);
258 }
259 //otherwise not in the session and not authenticated - no need to update the session
260 }
261 }
262 }
263
264 /**
265 * Removes any existing subject state from the Subject's session (if the session exists). If the session
266 * does not exist, this method does not do anything.
267 *
268 * @param subject the subject for which any existing subject state will be removed from its session.
269 */
270 protected void removeFromSession(Subject subject) {
271 Session session = subject.getSession(false);
272 if (session != null) {
273 session.removeAttribute(DefaultSubjectContext.AUTHENTICATED_SESSION_KEY);
274 session.removeAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY);
275 }
276 }
277
278 /**
279 * Removes any existing subject state from the subject's session (if the session exists).
280 *
281 * @param subject the Subject instance for which any persistent state should be deleted.
282 */
283 public void delete(Subject subject) {
284 removeFromSession(subject);
285 }
286 }