AuthenticationStrategy
implementations.Authenticator
implementations that performs the common work around authentication
attempts.Realm
that authenticates with an LDAP
server to build the Subject for a user.NativeSessionManager
interface, supporting
SessionListener
s and application of the
globalSessionTimeout
.RememberMeManager
interface that handles
serialization
and
encryption
of the remembered user identity.DefaultSerializer
as the serializer
and
an AesCipherService
as the cipherService
.SessionDAO
implementation that performs some sanity checks on session creation and reading and
allows for pluggable Session ID generation strategies if desired.sessionIdGenerator
to be a
JavaUuidSessionIdGenerator
.SessionManager
interface, enabling configuration of an
application-wide globalSessionTimeout
.ValidatingSessionManager
interface.AuthenticationInfo
and
AuthorizationInfo
and represents authentication and authorization for a single account in a
single Realm.shiro-activeSessionCache
.Realm
that authenticates with an active directory LDAP
server to determine the roles for a particular user.aggregate
argument without modification.aggregate
method argument is not null
and
aggregate.
singleRealmInfo
into the
aggregateInfo
and then returns the aggregate.info
into the aggregate
argument and returns it (just as the
parent implementation does), but additionally ensures the following:
if the Throwable
argument is not null
, re-throws it to immediately cancel the
authentication process, since this strategy requires all realms to authenticate successfully.CacheManager
has been set and is available for use via the
getCacheManager()
method.applyCacheManagerToRealms()
to allow the
newly set CacheManager
to be propagated to the internal collection of Realm
that would need to use it.super.afterCacheManagerSet()
and then immediately calls
applyCacheManagerToSessionManager()
to ensure the
CacheManager
is applied to the SessionManager as necessary.CacheManager
instance being set on the realm instance via the
CachingRealm.setCacheManager(org.apache.shiro.cache.CacheManager)
mutator.EventBus
has been set and is available for use
via the getEventBus()
method.realms
to the internal delegate Authenticator
instance so
that it may use them during authentication attempts.super.afterRealmsSet()
and then sets these same Realm
objects on this
instance's wrapped Authorizer
.true
when matching credentials no matter what arguments
are passed in.implies
method always returns true.AnnotationHandler
who processes annotations of the
specified type.AnnotationMethodInterceptor
with the
AnnotationHandler
that will be used to process annotations of a
corresponding type.AnnotationMethodInterceptor
with the
AnnotationHandler
that will be used to process annotations of a
corresponding type, using the specified AnnotationResolver
to acquire annotations
at runtime.methodInterceptors
attribute to contain two interceptors by default - the
RoleAnnotationMethodInterceptor
and the
PermissionAnnotationMethodInterceptor
to
support role and permission annotations.CacheManager
on any internal configured
Realms
that implement the CacheManagerAware
interface.SessionManager
is injected with the newly set
CacheManager
so it may use it for its internal caching needs.SessionManager
is injected with the newly set
EventBus
so it may use it for its internal event needs.ModularRealmAuthorizer.getPermissionResolver()
on any internal configured
Realms
that implement the PermissionResolverAware
interface.ModularRealmAuthorizer.getRolePermissionResolver()
on any internal configured
Realms
that implement the RolePermissionResolverAware
interface.methodInterceptors
collection, and for each one,
ensures that if the interceptor
supports
the invocation, that the interceptor
asserts
that the invocation is authorized to proceed.Subject
is authenticated, and if not, throws an
UnauthenticatedException
indicating the method is not allowed to be executed.MethodInvocation
.Subject
is NOT a user, that is, they do not
have an identity
before continuing.Subject
has the Annotation's specified permissions, and if not, throws an
AuthorizingException
indicating access is denied.Subject
has the Annotation's specified roles, and if not, throws an
AuthorizingException
indicating that access is denied.Subject
is a user, that is, they are either
authenticated
or remembered via remember
me services before allowing access, and if not, throws an
AuthorizingException
indicating access is not allowed.AuthenticationToken
's credentials match the stored account
AuthenticationInfo
's credentials, and if not, throws an AuthenticationException
.Authorizer
implementation methods to ensure that the realms
has been set.Callable
instance matching the given argument while additionally ensuring that it will
retain and execute under this Subject's identity.Runnable
instance matching the given argument while additionally ensuring that it will
retain and execute under this Subject's identity.Runnable
with the currently executing subject
and then return the associated Runnable.Authenticator
interface that functions in the following manner:
Calls template doAuthenticate
method for subclass execution of the actual
authentication behavior.AuthenticationToken
.Authenticator
for authentication.Subject
being built will be considered
authenticated
.RequiresAuthentication
annotations and ensures the calling subject is
authenticated before allowing access.RequiresAuthentication
annotations.RequiresAuthenticated
annotation
is declared, and if so, ensures the calling
Subject
.RequiresAuthentication
annotations in a method
declaration.SecurityManager
class hierarchy that delegates all
authentication operations to a wrapped Authenticator
instance.authenticator
instance to a
ModularRealmAuthenticator
.AuthenticationInfo
represents a Subject's (aka user's) stored account information relevant to the
authentication/log-in process only.AuthenticationListener
listens for notifications while Subject
s authenticate with the system.AuthenticationStrategy
implementation assists the ModularRealmAuthenticator
during the
log-in process in a pluggable realm (PAM) environment.AuthorizationInfo
represents a single Subject's stored authorization data (roles, permissions, etc)
used during authorization (access control) checks only.AuthorizingAnnotationHandler
who processes annotations of the
specified type.handler
is set which will be used to perform the
authorization assertion checks when a supported annotation is encountered.AuthorizingRealm
extends the AuthenticatingRealm
's capabilities by adding Authorization
(access control) support.SecurityManager
class hierarchy that delegates all
authorization (access control) operations to a wrapped Authorizer
instance.ModularRealmAuthorizer
.
Environment env = new BasicIniEnvironment("classpath:shiro.ini");
SecurityManager securityManager = env.getSecurityManager();
AuthenticationToken
that contains an a Bearer token or API key, typically received via an HTTP Authorization
header.new SimpleAuthenticationInfo
();
, which supports
aggregating account data across realms.token
- called before any Realm
is actually invoked.null
immediately, relying on this class's merge
implementation to return
only the first info
object it encounters, ignoring all subsequent ones.aggregate
method argument, without modification.Realm
supports
the given
token
argument.SessionListener
s for notification
that the session has been invalidated (stopped or expired).save(subject)
.Subject
and SecurityManager
to the
ThreadContext
so they can be retrieved later by any
SecurityUtils.
Subject.Builder
instance, using the SecurityManager
instance available
to the calling code as determined by a call to SecurityUtils.getSecurityManager()
to build the Subject
instance.Subject.Builder
instance which will use the specified SecurityManager
when
building the Subject
instance.Subject
instance reflecting the cumulative state acquired by the
other methods in this class.sessionId
.sessionId
.Realm
interface that provides caching support for subclasses.cachingEnabled
(for general caching) to true
and sets a
default name
based on the class name.Permission.implies(Permission)
implies} the specified Permission.implies
the specified Permission
.implies
all of the
specified permission strings.implies
all of the
specified permission strings.implies
all of the
specified permission strings.implies
all of the
specified permission strings.AuthorizationException
if they do not.AuthorizationException
if they do not.AuthorizationException
if they do not.checkRoles(PrincipalCollection subjectPrincipal, Collection<String> roleIdentifiers)
but doesn't require a collection
as an argument.checkRole
for each role specified.AuthorizationException
if they do not.checkRoles(Collection roleIdentifiers)
but
doesn't require a collection as a an argument.InvalidSessionException
indicating that the session id is invalid.removes
the ThreadContext
state.ThreadContext
state.Map
used to construct the
Subject
instance.cipherService
is available, it will be used to first decrypt the byte array.AbstractSessionDAO.doCreate(org.apache.shiro.session.Session)
method, and then
asserting that the returned sessionId is not null.super.create(session)
, then caches the session keyed by the returned sessionId
, and then
returns this sessionId
.AuthenticationInfo
resulting from a Subject's successful LDAP authentication attempt.InitialLdapContext
instance.InitialLdapContext
instance.Realm
from the Ini instance containing account data.Session Session
instance based on the specified (possibly null
)
initialization data.Session
instance based on the specified contextual initialization data.SimpleSession
instance retaining the context's
host
if one can be found.Subject
instance for the user represented by the given method arguments.SubjectContext
is as populated as it can be, using heuristics to acquire
data that may not have already been available to it (such as a referenced session or remembered principals).Subject
instance reflecting the specified contextual data.cipherService
.30
minutes.JdbcRealm.saltStyle
is COLUMN.SecurityManager
instance may be acquired, equal to
securityManager
.AbstractValidatingSessionManager.setSessionValidationInterval(long)
AnnotationResolver
implementation that merely inspects the
MethodInvocation
's target method
,
and returns targetMethod
.Environment
implementation that stores Shiro objects as key-value pairs in a
Map
instance.ConcurrentHashMap
backing map.JndiLdapContextFactory
implementation. This implementation will be removed
prior to Shiro 2.0Realm
implementation utilizing Sun's/Oracle's
JNDI API as an LDAP API.LdapContextFactory
instance to a
JndiLdapContextFactory
.PasswordService
interface that relies on an internal
HashService
, HashFormat
, and HashFormatFactory
to function:
Hashing Passwords
Comparing Passwords
All hashing operations are performed by the internal hashService
.SecurityManager
interface,
based around a collection of Realm
s.realms
.SessionContext
interface which provides getters and setters that
wrap interaction with the underlying backing context map.SessionKey
interface, which allows setting and retrieval of a concrete
sessionId
that the SessionManager
implementation can use to look up a
Session
instance.ValidatingSessionManager
.SessionStorageEvaluator
that provides reasonable control over if and how Sessions may be used for
storing Subject state.SubjectContext
interface.SubjectDAO
implementation that stores Subject state in the Subject's Session by default (but this
can be disabled - see below).SubjectFactory
implementation that creates DelegatingSubject
instances.Session
.Subject
interface that delegates
method calls to an underlying SecurityManager
instance for security checks.DefaultSecurityManager.logout(org.apache.shiro.subject.Subject)
..Subject
instance.CachingSessionDAO.doDelete(org.apache.shiro.session.Session)
.session
.serializer
's
deserialize
method.cacheManager
via LifecycleUtils.destroy
.Subject
session
, but that Subject
's sessions are disabled.Realm
s.AuthenticatingRealm.clearCachedAuthenticationInfo(org.apache.shiro.subject.PrincipalCollection)
.super.doClearCache
to ensure any cached authentication data is removed and then calls
AuthorizingRealm.clearCachedAuthorizationInfo(org.apache.shiro.subject.PrincipalCollection)
to remove any cached
authorization data.Subject
instance by delegating to the internal
subjectFactory
.true
always no matter what the method arguments are.true
if the provided token credentials match the stored account credentials,
false
otherwise.token
's credentials, potentially using a
salt
if the info
argument is a
SaltedAuthenticationInfo
.token
's credentials
(via getCredentials(token)
)
and then the account
's credentials
(via getCredentials(account)
) and then passes both of
them to the equals(tokenCredentials, accountCredentials)
method for equality
comparison.DefaultLdapRealm.queryForAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken, LdapContextFactory)
,
wrapping any NamingException
s in a Shiro AuthenticationException
to satisfy the parent method
signature.name
path
against the given pattern
.AuthenticationStrategy
object
as each realm is consulted for AuthenticationInfo
for the specified token
.null
if a
session with that ID could not be found.Session
's state to the underlying EIS.ScheduledExecutorService
to validate sessions at fixed intervals
and enables this scheduler.cipherService
.SecurityManager
instance in the context, and if not, adds 'this' to the
context.Environment
instance encapsulates all of the objects that Shiro requires to function.Environment
instances or configuration.true
if the tokenCredentials
argument is logically equal to the
accountCredentials
argument.true
if the specified object is also a SimpleAccount
and its
principals
are equal to this object's principals
, false
otherwise.true
if the Object argument is an instanceof SimpleAuthenticationInfo
and
its principals
are equal to this instance's principals, false
otherwise.Subject
and then
dispatches the associated Runnable to the underlying target Executor
instance.Callable
with this Subject
instance and then executes it on the
currently running thread.Runnable
with this Subject
instance and then executes it on the
currently running thread.Subject
executes a
Callable
.ScheduledExecutorService
to call ValidatingSessionManager.validateSessions()
every
interval
milliseconds.AuthenticationStrategy
implementation that only accepts the account data from
the first successfully consulted Realm and ignores all subsequent realms.Subject
instance.UUID
.Random
's nextLong()
invocation.Session
instance.session
instance.key
that is bound to
the current thread.CacheManager
.Annotation
instance of the specified type based on the given
MethodInvocation
argument, or null
if no annotation
of that type could be found.methodInvocation.
value
, from which the Permission will be constructed.Cache
instance to use for authentication caching, or null
if no cache has been
set.AuthenticationInfo
instances are cached if authentication caching is enabled.AuthenticationInfo
instances are cached if authentication caching is enabled.Cache
to lookup from any available cacheManager
if
a cache is not explicitly configured via AuthenticatingRealm.setAuthenticationCache(org.apache.shiro.cache.Cache)
.AuthenticationInfo
corresponding to the specified
AuthenticationToken
argument.AuthenticationListener
s that should be notified during authentication
attempts.AuthenticationStrategy
utilized by this modular authenticator during a multi-realm
log-in attempt.Authenticator
instance that this SecurityManager uses to perform all
authentication operations.principals
,
or null
if no account could be found.sessionId
or null
if there is
no session cached under that id (or if there is no Cache).activeSessionsCache
if
one is not configured.CipherService
to use for encrypting and decrypting serialized identity data to prevent easy
inspection of Subject identity data.account identity
.Hash
instance representing the already-hashed AuthenticationInfo credentials stored in the system.token
's credentials.account
's credentials.this.authcInfo.getCredentials
.password
char array.CredentialsMatcher
used during an authentication attempt to verify submitted
credentials with those stored in the system.null
if no salt was used.null
if no salt
was used or credentials were not hashed at all.null
if no salt was used or credentials were not
hashed at all.null
if none should be used.LdapContext
).EventBus
used by this SecurityManager and potentially any of its children components.AnnotationHandler
used to perform authorization behavior based on
an annotation discovered at runtime.Hash
algorithmName
to use
when performing hashes for credentials matching.AuthenticationToken
's credentials will be hashed before
comparing to the credentials stored in the system.Subject
is initiating the
Session
.null
if the host is unknown.Subject
's originating location.info
.Session
last interacted with the system.DefaultLdapContextFactory.getLdapContext(Object, Object)
method should be used in all cases to ensure more than
String principals and credentials can be used. Shiro no longer calls this method - it will be
removed before the 2.0 release.JndiLdapContextFactory.getLdapContext(Object, Object)
method should be used in all cases to ensure more than
String principals and credentials can be used. Shiro no longer calls this method - it will be
removed before the 2.0 release.LdapContextFactory.getLdapContext(Object, Object)
method should be used in all cases to ensure more than
String principals and credentials can be used.LdapContext
connection bound using the specified principal and
credentials.Method
to be invoked.Realm
.null
if
no object with that name was found.Permission
s assigned to the corresponding Subject.null
Subject
before assuming the current
runAs
identity, or null
if this Subject
is not operating under an assumed
identity (normal state).Realm
principals, or null
if there are
no principals yet.getUsername()
.null
if this
Subject is anonymous because it doesn't yet have any associated account data (for example,
if they haven't logged in).PrincipalCollection
or
null
if this Subject is anonymous because it doesn't yet have any associated account data (for example,
if they haven't logged in).Subject
should reflect.Authenticator
during an authentication attempt.Authorizer
which are consulted during an authorization check.Realm
s managed by this SecurityManager instance.JNDI name
and returns all
discovered Realms in an ordered collection.Realm
instances that will be used to construct
the application's SecurityManager instance.acquiring
the remembered serialized byte array.null
if there is no available data.AnnotationResolver
to use to acquire annotations from intercepted
methods at runtime.null
this.authzInfo.getRoles();
AuthenticationInfo
returned from the Realm
is a SaltedAuthenticationInfo
instance and its
getCredentialsSalt()
method returns a non-null value.
This method and the 1.0 behavior still exists for backwards compatibility if the Realm
does not return
SaltedAuthenticationInfo
instances, but it is highly recommended that Realm
implementations
that support hashed credentials start returning SaltedAuthenticationInfo
instances as soon as possible.
This is because salts should always be obtained from the stored account information and
never be interpreted based on user/Subject-entered data. User-entered data is easier to compromise for
attackers, whereas account-unique (and secure randomly-generated) salts never disseminated to the end-user
are almost impossible to break. This method will be removed in Shiro 2.0.SecurityManager
instance accessible in the backing map using the
securityManagerName
property as the lookup key.SecurityManager
instance.Subject
instance or
null
if one has not yet been provided to this context.SecurityManager
instance in the backing map.Serializer
used to serialize and deserialize PrincipalCollection
instances for
persistent remember me storage.null
if no Session could be found.Session
associated with this Subject.Session
associated with this Subject.Session
to use when building the Subject
instance.SessionFactory
used to generate new Session
instances.Subject
instance.SessionIdGenerator
used by the AbstractSessionDAO.generateSessionId(org.apache.shiro.session.Session)
method.SessionManager
.SessionStorageEvaluator
that will determine if a Subject
's state may be persisted in
the Subject's session.Session
started (was created).Subject
associated with the currently-executing code.Subject
associated with the currently-executing code.Executor
instance.Subject
available to the calling code depending on
runtime environment.Subject
that may be in use at the time the new Subject
instance is
being created.Subject
instance managed by this ThreadState
implementation.Subject
instance, available to subclasses
since the context
class attribute is marked as private
.SubjectDAO
responsible for persisting Subject state, typically used after login or when an
Subject identity is discovered (eg after RememberMe services).SubjectFactory
responsible for creating Subject
instances exposed to the application.JndiLdapContextFactory.getLdapContext(Object, Object)
using the
systemUsername
and systemPassword
properties as
arguments.LdapContext
connection bound using the system account, or
anonymously if no system account is configured.systemUsername
that will be used when creating an
LDAP connection used for authorization queries.Session.getTimeout()
.get
operation but additionally ensures that the value returned is of the specified
type
.LdapContext
from the LdapContextFactory
.null
if no
userDnTemplate
has been configured.setUserDnTemplate
JavaDoc for a full explanation.System.getProperty("java.version")
.RequiresGuest
annotation
is declared, and if so, ensures the calling Subject
does not
have an identity
before invoking the method.RequiresGuest
annotations in a method
declaration.RequiresGuest
annotation
is declared, and if so, ensures the calling Subject
does not
have an identity
before invoking the method.RequiresGuest
annotations in a method
declaration.true
iff any of the configured realms'
ModularRealmAuthorizer.hasRole(org.apache.shiro.subject.PrincipalCollection, String)
call returns true
for
all roles specified, false
otherwise.true
if this Subject has all of the specified roles, false
otherwise.principals
are not null, returns principals.hashCode()
, otherwise
returns 0 (zero).principals
instance.HashedCredentialMatcher
provides support for hashing of supplied AuthenticationToken
credentials
before being compared to those in the AuthenticationInfo
from the data store.hashAlgorithmName
to hash submitted
credentials.HashingPasswordService
is a PasswordService
that performs password encryption and comparisons
based on cryptographic Hash
es.token
's credentials using the salt stored with the account if the
info
instance is an instanceof
SaltedAuthenticationInfo
(see
the class-level JavaDoc for why this is the preferred approach).hashIterations
times, using the given salt.true
if any of the configured realms'
ModularRealmAuthorizer.hasRole(org.apache.shiro.subject.PrincipalCollection, String)
call returns true
,
false
otherwise.true
if this Subject has the specified role, false
otherwise.ModularRealmAuthorizer.hasRole(org.apache.shiro.subject.PrincipalCollection, String)
for each role name in the specified
collection and places the return value from each call at the respective location in the returned array.Subject
being built will reflect the specified host name or IP as its originating
location.HostAuthenticationToken
retains the host information from where
an authentication attempt originates.Session
interface that proxies another Session
, but does not
allow any 'write' operations to the underlying session.Session
.true
if this current instance implies all the functionality and/or resource access
described by the specified Permission
argument, false
otherwise.Environment
mechanisms instead.Ini
argument.Ini
resolved from the specified
resourcePath
.Environment
mechanisms instead.PermissionResolver.resolvePermission(String)
when the String being parsed is not
valid for that resolver.MethodInvocation
, allowing implementations to perform pre/post/finally
surrounding the actual invocation.methodInvocation
is allowed to execute first before proceeding by calling the
assertAuthorized
method first.methodInvocation.
true
if this Subject/user proved their identity during their current session
by providing valid credentials matching those known to the system, false
otherwise.true
if the constructed Subject
should be considered authenticated, false
otherwise.true
if authentication caching should be utilized if a CacheManager
has been
configured
, false
otherwise.true
if authentication caching should be utilized based on the specified
AuthenticationToken
and/or AuthenticationInfo
, false
otherwise.true
if authorization caching should be utilized if a CacheManager
has been
configured
, false
otherwise.true
if sessions should be automatically deleted after they are discovered to be invalid,
false
if invalid sessions will be manually deleted by some process external to Shiro's control.true
if this collection is empty, false
otherwise.true
if this Scheduler is enabled and ready to begin validation at the appropriate time,
false
otherwise.AuthenticationInfo
returned from the Realm
is a SaltedAuthenticationInfo
instance and its
getCredentialsSalt()
method returns a non-null value.
This method and the 1.0 behavior still exists for backwards compatibility if the Realm
does not return
SaltedAuthenticationInfo
instances, but it is highly recommended that Realm
implementations
that support hashed credentials start returning SaltedAuthenticationInfo
instances as soon as possible.
This is because salts should always be obtained from the stored account information and
never be interpreted based on user/Subject-entered data. User-entered data is easier to compromise for
attackers, whereas account-unique (and secure randomly-generated) salts never disseminated to the end-user
are almost impossible to break. This method will be removed in Shiro 2.0.true
if this Account is locked and thus cannot be used to login, false
otherwise.true
if any of the configured realms'
ModularRealmAuthorizer.isPermitted(org.apache.shiro.subject.PrincipalCollection, String)
returns true
,
false
otherwise.true
if any of the configured realms'
ModularRealmAuthorizer.isPermitted(org.apache.shiro.subject.PrincipalCollection, Permission)
call returns true
,
false
otherwise.true
if any of the configured realms'
ModularRealmAuthorizer.isPermittedAll(org.apache.shiro.subject.PrincipalCollection, String...)
call returns
true
, false
otherwise.true
if any of the configured realms'
ModularRealmAuthorizer.isPermitted(org.apache.shiro.subject.PrincipalCollection, List)
call returns true
,
false
otherwise.true
if this Subject is permitted to perform an action or access a resource summarized by the
specified permission string.true
if this Subject is permitted to perform an action or access a resource summarized by the
specified permission.true
if any of the configured realms'
ModularRealmAuthorizer.isPermitted(org.apache.shiro.subject.PrincipalCollection, String)
call returns true
for all of the specified string permissions, false
otherwise.true
if any of the configured realms'
ModularRealmAuthorizer.isPermitted(org.apache.shiro.subject.PrincipalCollection, Permission)
call returns true
for all of the specified Permissions, false
otherwise.true
if this Subject implies all of the specified permission strings, false
otherwise.true
if this Subject implies all of the specified permissions, false
otherwise.true
if LDAP connection pooling should be used when acquiring a connection based on the specified
account principal, false
otherwise.true
if this Subject
has an identity (it is not anonymous) and the identity
(aka principals
) is remembered from a successful authentication during a previous
session.true
if the submitting user wishes their identity (principal(s)) to be remembered
across sessions, false
otherwise.true
if this Subject
is 'running as' another identity other than its original one or
false
otherwise (normal Subject
state).true
if the constructed Subject
should be allowed to create a session, false
otherwise.true
if this Subject is allowed to create sessions, false
otherwise.Session
(typically because an application developer
has called subject.getSession()
already), Shiro will use that existing session to store subject state.true
if any Subject's Session
may be used to persist that Subject
's state,
false
otherwise.true
if the specified Subject
's
session
may be used to persist that Subject's
state, false
otherwise.true
if the system's stored credential hash is Hex encoded, false
if it
is Base64 encoded.true
if the associated session is valid (it exists and is not stopped nor expired),
false
otherwise.SessionIdGenerator
that generates String values of JDK UUID
's as the session IDs.LdapContextFactory
implementation using the default Sun/Oracle JNDI Ldap API, utilizing JNDI
environment properties and an InitialContext
.environment template
with
the contextFactoryClassName
equal to
com.sun.jndi.ldap.LdapCtxFactory
(the Sun/Oracle default) and the default
referral
behavior to follow
.DefaultLdapRealm
, this class will be removed prior to 2.0jndiNames
.LdapContext
objects that are used by DefaultLdapRealm
s to
perform authentication attempts and query for authorization data.classpath:shiro.ini
file, or null
if
the file does not exist.AuthenticationToken
argument, and if successful, constructs a
Subject
instance representing the authenticated account's identity.authenticationToken
, returning an updated Subject
instance reflecting the authenticated state if successful or throwing AuthenticationException
if it is
not.Session
and authorization data.SecurityManager
instance in the backing map without performing any non-null guarantees.MapContext
provides a common base for context-based data storage in a Map
.true
if the given source
matches the specified pattern
,
false
otherwise.hashAlgorithmName
property.hashAlgorithmName
property.ConcurrentMap
.AuthenticationInfo
interface to be implemented by
classes that support merging with other AuthenticationInfo
instances.AuthenticationInfo
into this instance.info
argument into the aggregate
argument and then returns an
aggregate for continued use throughout the login process.aggregate
instance if is non null and valid (that is, has principals and they are
not empty) immediately, or, if it is null or not valid, the info
argument is returned instead.AuthenticationInfo
into this Account
.info
argument and adds its principals and credentials into this instance.Subject.getPrincipals()
with whatever may be in
any available session.ModularRealmAuthenticator
delegates account lookups to a pluggable (modular) collection of
Realm
s.enables
an
AtLeastOneSuccessfulStrategy
by default.Realm
s during an authorization operation.Realm
s to consult during an authorization check.PrincipalCollection
that allows modification.Native
session manager is one that manages sessions natively - that is, it is directly responsible
for the creation, persistence and removal of Session
instances and their
lifecycles.SubjectContext
instance to be used to populate with subject contextual data that
will then be sent to the SecurityManager
to create a new Subject
instance.DefaultSubjectFactory.createSubject(org.apache.shiro.subject.SubjectContext)
directly if you
need to instantiate a custom Subject
class.AuthenticationListener
s that
authentication failed for the
specified token
which resulted in the specified ae
exception.AuthenticationListener
s that a
Subject
has logged-out.SessionListener
s that a Session has started.AuthenticationListener
s that
authentication was successful for the specified token
which resulted in the specified
info
.value
argument is not null.null
if there are none
of the specified type.forgetting
any
previously remembered identity.Subject
has failed.notifyLogout
to allow any registered listeners
to react to the logout.Subject
logs-out of the system.Subject
logs out of the system.super.onLogout(principals)
to ensure a logout notification is issued, and for each
wrapped Realm
that implements the LogoutAware
interface, calls
((LogoutAware)realm).onLogout(principals)
to allow each realm the opportunity to perform
logout/cleanup operations during an user-logout.forgets
any previously stored identity and returns.Session.stop()
or automatically upon a subject logging out.Subject
has succeeded.forgetting
any previously
stored identity.SecurityUtils
and
ShiroException
.CredentialsMatcher
interface and its supporting implementations.Realm
s).Permission
interface.Executor
, ExecutorService
,
and ScheduledExecutorService
implementations for transparent
Subject
association with threads in an asynchronous execution environment.SecurityManager
interface and a default implementation
hierarchy for managing all aspects of Shiro's functionality in an application.Realm
interface.File
s or
text streams.SessionManager
components supporting enterprise session management.Subject
interface, the most important concept in
Shiro's API.org.apache.shiro.subject
interfaces.CredentialsMatcher
that employs best-practices comparisons for hashed text passwords.PasswordService
supports common use cases when using passwords as a credentials mechanism.true
if the submittedPlaintext
password matches the existing savedPasswordHash
,
false
otherwise.true
if the submittedPlaintext
password matches the existing saved
password,
false
otherwise.RequiresPermissions
annotation is
declared, and if so, performs a permission check to see if the calling Subject
is allowed continued
access.RequiresPermissions
annotations.RequiresPermissions
annotation is declared, and if so, performs
a permission check to see if the calling Subject
is allowed to call the method.RequiresPermissions
annotations in a method declaration.PermisisonResolver
resolves a String value and converts it into a
Permission
instance.Subject
.PrincipalMap
is map of all of a subject's principals - its identifying attributes like username, userId,
etc.Subject
being built will reflect the specified principals (aka identity).TextConfigurationRealm
that defers all logic to the parent class, but just enables
Properties
based configuration in addition to the parent class's String configuration.Session
implementation that immediately delegates all corresponding calls to an
underlying proxied session instance.target
.key
to the current thread.AuthenticationInfo
object by querying the active directory LDAP context for the
specified username.AuthenticationInfo
object by querying the LDAP context for the
specified username.discovered principal
and provided
credentials
.AuthorizationInfo
object by querying the active directory LDAP context for the
groups that a user is a member of.AuthorizationInfo
object by querying the LDAP context for the
specified principal.AuthorizationInfo
object by querying the LDAP context for the
specified principal.Random
instance to generate random IDs.AbstractSessionDAO.doReadSession(java.io.Serializable)
method.sessionId
.Realm
instances
in any manner desired.SecurityManager
class hierarchy based around a collection of
Realm
s.PatternMatcher
implementation that uses standard java.util.regex
objects.#runAs runAs
was called.converting
them to a byte
array and then remembers
that
byte array.AuthenticationToken
that indicates if the user wishes their identity to be remembered across sessions.AbstractRememberMeManager.getRememberedSerializedIdentity(SubjectContext)
method.key
from the current
thread.Remove
s the underlying ThreadLocal
from the thread.throws
an InvalidSessionException
in all
cases because this proxy is immutable.Session
under the given attributeKey
.key
name.Class
.Subject
to have all of the
specified roles.WildcardPermission
instance constructed based on the specified
permissionString.PrincipalCollection
) for the context using heuristics.SecurityManager
instance that should be used to back the constructed Subject
instance (typically used to support DelegatingSubject
implementations).Session
to ensure it may be referenced if necessary by the
invoked SubjectFactory
that performs actual Subject
construction.Remove
s all thread-state that was bound by this instance.bind
was invoked.RequiresRoles
annotation is declared, and if so, performs
a role check to see if the calling Subject
is allowed to proceed.RequiresRoles
annotations.RequiresRoles
annotation is declared, and if so, performs
a role check to see if the calling Subject
is allowed to invoke the method.RequiresRoles
annotations in a method declaration.Permission
instances.Bind
s the Subject thread state, executes the target Runnable
and then guarantees
the previous thread state's restoration
:
try {
threadState.session
only
if sessionStorageEnabled(subject)
.session
.SecurityManager
executes all security operations for all Subjects (aka users) across a
single application.Subject
for the calling code depending on runtime environment.principals
by serializing them to a byte array by using the
serializer
's serialize
method.Session
is a stateful data context associated with a single Subject (user, daemon process,
etc) who interacts with a software system over a period of time.Subject
being built will use the specified Session
instance.SessionContext
is a 'bucket' of data presented to a SessionFactory
which interprets
this data to construct Session
instances.Session
if one does not
already exist.Session
access to an
EIS (Enterprise Information System).Session
instances.SessionDAO
implementations.SessionKey
is a key that allows look-up of any particular Session
instance.Session
's life cycle.SessionListener
interface, effectively providing
no-op implementations of all methods.Session
s.SecurityManager
class hierarchy that delegates all
session
operations to a wrapped
SessionManager
instance.SessionManager
delegate
instance.Subject
's Session
to persist that Subject
's internal state.CacheManager
.throws
an InvalidSessionException
in all
cases because this proxy is immutable.value
to the associated session uniquely identified by the attributeKey
.value
to this session, uniquely identified by the specified
key
name.Subject
instance should be considered as authenticated.Cache
instance to use for authentication caching.Cache
to lookup from any available cacheManager
if
a cache is not explicitly configured via AuthenticatingRealm.setAuthenticationCache(org.apache.shiro.cache.Cache)
.CacheManager
has been
configured
, false
otherwise.AuthenticationListener
s that should be notified during authentication
attempts.AuthenticationStrategy
utilized during multi-realm log-in attempts.Authenticator
instance that this SecurityManager uses to perform all
authentication operations.CacheManager
has been
configured
, false
otherwise.SecurityManager
and potentially any of its
children components.activeSessionsCache
if
one is not configured.CacheManager
has been
configured
.CipherService
to use for encrypting and decrypting serialized identity data to prevent easy
inspection of Subject identity data.principals
, such as a password or private key.null
if no salt
is used or credentials are not hashed at all.null
if no salt was used or credentials were not
hashed at all.SecurityManager
and potentially any of its
children components.AnnotationHandler
used to perform authorization behavior based on
an annotation discovered at runtime.Hash
algorithmName
to use
when performing hashes for credentials matching.AuthenticationToken
's credentials will be hashed before comparing
to the credentials stored in the system.AuthenticationInfo
returned from the Realm
is a SaltedAuthenticationInfo
instance and its
getCredentialsSalt()
method returns a non-null value.
This method and the 1.0 behavior still exists for backwards compatibility if the Realm
does not return
SaltedAuthenticationInfo
instances, but it is highly recommended that Realm
implementations
that support hashed credentials start returning SaltedAuthenticationInfo
instances as soon as possible.
This is because salts should always be obtained from the stored account information and
never be interpreted based on user/Subject-entered data. User-entered data is easier to compromise for
attackers, whereas account-unique (and secure randomly-generated) salts never disseminated to the end-user
are almost impossible to break. This method will be removed in Shiro 2.0.Subject
is initiating the
Session
.Subject
's originating location.Realm
.LdapContextFactory
implementation that is used to create LDAP connections for
authentication and authorization.WildcardPermission
.PermissionResolver
on all of the wrapped realms that
implement the PermissionResolverAware
interface.Subject
should reflect.LdapContextFactory
.RealmSecurityManager.setRealms(java.util.Collection<org.apache.shiro.realm.Realm>)
method.Authorizer
which are consulted during an authorization check.AnnotationResolver
to use to acquire annotations from intercepted
methods at runtime.RolePermissionResolver
on all of the wrapped realms that
implement the PermissionResolverAware
interface.LdapContextFactory
.getSubject()
implementation.Subject
instance
(typically used to support DelegatingSubject
implementations).SecurityManager
instance in the backing map.Serializer
used to serialize and deserialize PrincipalCollection
instances for
persistent remember me storage.Session
to use when building the Subject
instance.Subject
instance should be allowed to create a session,
false
otherwise.SessionFactory
used to generate new Session
instances.Subject
instance.SessionIdGenerator
used by the AbstractSessionDAO.generateSessionId(org.apache.shiro.session.Session)
method.SessionManager
instance that will be used to support this implementation's
SessionManager method calls.Session
may be used to persist that Subject
's state.SessionStorageEvaluator
that will determine if a Subject
's state may be persisted in
the Subject's session.setSessionValidationScheduler
method is
never called) , this method allows one to specify how
frequently session should be validated (to check for orphans).Subject
that may be in use at the time the new Subject
instance is
being created.SubjectDAO
responsible for persisting Subject state, typically used after login or when an
Subject identity is discovered (eg after RememberMe services).SubjectFactory
responsible for creating Subject
instances exposed to the application.LdapContextFactory
.systemUsername
that will be used when creating an
LDAP connection used for authorization queries.LdapContextFactory
.throws
an InvalidSessionException
in all
cases because this proxy is immutable.LdapContextFactory
.username = password, role1, role2,...
hashAlgorithmName
property.hashAlgorithmName
property.hashAlgorithmName
property.hashAlgorithmName
property.FirstSuccessfulStrategy
, with
stopAfterFirstSuccess
set.true
if the Ini contains account data and a Realm
should be implicitly
created
to reflect the account data, false
if no realm should be implicitly
created.Account
interface that
contains principal and credential and authorization information (roles and permissions) as instance variables and
exposes them via getters and setters using standard JavaBean notation.Realm
interface that
uses a set of configured user accounts and roles to support authentication and authorization.MergableAuthenticationInfo
interface that holds the principals and
credentials.AuthorizationInfo
interface that stores roles and permissions as internal
attributes.MutablePrincipalCollection
interface that tracks principals internally
by storing them in a LinkedHashMap
.PrincipalMap
interface.Session
JavaBeans-compatible POJO implementation, intended to be used on the
business/server tier.SessionFactory
implementation that generates SimpleSession
instances.0
if the collection is null
.0
if the map is null
.throws
an InvalidSessionException
in all
cases because this proxy is immutable.Subject
represents state and security operations for a single application user.Subject
instances in a simplified way without
requiring knowledge of Shiro's construction techniques.ExecutorService
implementation that will automatically first associate any argument
Runnable
or Callable
instances with the currently available subject
and then
dispatch the Subject-enabled runnable or callable to an underlying delegate
ExecutorService
instance.SubjectAwareExecutorService
but additionally supports the
ScheduledExecutorService
interface.SubjectContext
is a 'bucket' of data presented to a SecurityManager
which interprets
this data to construct Subject
instances.SubjectDAO
is responsible for persisting a Subject instance's internal state such that the Subject instance
can be recreated at a later time if necessary.SubjectFactory
is responsible for constructing Subject
instances as needed.SubjectRunnable
ensures that a target/delegate Runnable
will execute such that any
call to SecurityUtils.
SubjectRunnable
that, when executed, will execute the target delegate
, but
guarantees that it will run associated with the specified Subject
.SubjectRunnable
that, when executed, will perform thread state
binding
and guaranteed restoration
before and after the
Runnable
's execution, respectively.Subject
access (supporting
SecurityUtils.
SubjectThreadState
that will bind and unbind the specified Subject
to the
threadtrue
if this interceptor supports, that is, should inspect, the specified
MethodInvocation
, false
otherwise.AuthenticationToken
instance, false otherwise.ThreadState
instance manages any state that might need to be bound and/or restored during a thread's
execution.InvalidSessionException
indicating that this proxy is immutable.principals
.toString() if they are not null, otherwise prints out the string
"empty"principals
.toString()
getClass().getName() + ",id=" + getId()
.throws
an InvalidSessionException
in all
cases because this proxy is immutable.sessionId
.lastAccessTime
of this session to the current time when
this method is invoked.SecurityManager
instance, but Shiro's
lookup heuristics cannot find one.DefaultSecurityManager.delete(org.apache.shiro.subject.Subject)
AuthenticationToken
implementation is encountered that is not
supported by one or more configured Realm
s.CachingSessionDAO.doUpdate(org.apache.shiro.session.Session)
.{@link Session#getId() session.getId()}
.RequiresUser
annotation
is declared, and if so, ensures the calling Subject
is either
authenticated
or remembered via remember
me services before allowing access.RequiresUser
annotations.RequiresUser
annotation
is declared, and if so, ensures the calling Subject
is either
authenticated
or remembered via remember
me services before invoking the method.RequiresUser
annotations in a method
declaration.host
and a
rememberMe default of false.host
and
a rememberMe default of false
This is a convenience constructor and maintains the password internally via a character
array, i.e.environment
settings and throws an exception if a problem
exists.ValidatingSession
is a Session
that is capable of determining it is valid or not and
is able to validate itself if necessary.WildcardPermission
is a very flexible permission construct supporting multiple levels of
permission matching.WildcardPermission
based on the input string.Copyright © 2004–2020 The Apache Software Foundation. All rights reserved.