001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, 013 * software distributed under the License is distributed on an 014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 015 * KIND, either express or implied. See the License for the 016 * specific language governing permissions and limitations 017 * under the License. 018 */ 019package org.apache.shiro; 020 021import org.apache.shiro.mgt.SecurityManager; 022import org.apache.shiro.subject.Subject; 023import org.apache.shiro.util.ThreadContext; 024 025 026/** 027 * Accesses the currently accessible {@code Subject} for the calling code depending on runtime environment. 028 * 029 * @since 0.2 030 */ 031public abstract class SecurityUtils { 032 033 /** 034 * ONLY used as a 'backup' in VM Singleton environments (that is, standalone environments), since the 035 * ThreadContext should always be the primary source for Subject instances when possible. 036 */ 037 private static volatile SecurityManager securityManager; 038 039 /** 040 * Returns the currently accessible {@code Subject} available to the calling code depending on 041 * runtime environment. 042 * <p/> 043 * This method is provided as a way of obtaining a {@code Subject} without having to resort to 044 * implementation-specific methods. It also allows the Shiro team to change the underlying implementation of 045 * this method in the future depending on requirements/updates without affecting your code that uses it. 046 * 047 * @return the currently accessible {@code Subject} accessible to the calling code. 048 * @throws IllegalStateException if no {@link Subject Subject} instance or 049 * {@link SecurityManager SecurityManager} instance is available with which to obtain 050 * a {@code Subject}, which which is considered an invalid application configuration 051 * - a Subject should <em>always</em> be available to the caller. 052 */ 053 public static Subject getSubject() { 054 Subject subject = ThreadContext.getSubject(); 055 if (subject == null) { 056 subject = (new Subject.Builder()).buildSubject(); 057 ThreadContext.bind(subject); 058 } 059 return subject; 060 } 061 062 /** 063 * Sets a VM (static) singleton SecurityManager, specifically for transparent use in the 064 * {@link #getSubject() getSubject()} implementation. 065 * <p/> 066 * <b>This method call exists mainly for framework development support. Application developers should rarely, 067 * if ever, need to call this method.</b> 068 * <p/> 069 * The Shiro development team prefers that SecurityManager instances are non-static application singletons 070 * and <em>not</em> VM static singletons. Application singletons that do not use static memory require some sort 071 * of application configuration framework to maintain the application-wide SecurityManager instance for you 072 * (for example, Spring or EJB3 environments) such that the object reference does not need to be static. 073 * <p/> 074 * In these environments, Shiro acquires Subject data based on the currently executing Thread via its own 075 * framework integration code, and this is the preferred way to use Shiro. 076 * <p/> 077 * However in some environments, such as a standalone desktop application or Applets that do not use Spring or 078 * EJB or similar config frameworks, a VM-singleton might make more sense (although the former is still preferred). 079 * In these environments, setting the SecurityManager via this method will automatically enable the 080 * {@link #getSubject() getSubject()} call to function with little configuration. 081 * <p/> 082 * For example, in these environments, this will work: 083 * <pre> 084 * DefaultSecurityManager securityManager = new {@link org.apache.shiro.mgt.DefaultSecurityManager DefaultSecurityManager}(); 085 * securityManager.setRealms( ... ); //one or more Realms 086 * <b>SecurityUtils.setSecurityManager( securityManager );</b></pre> 087 * <p/> 088 * And then anywhere in the application code, the following call will return the application's Subject: 089 * <pre> 090 * Subject currentUser = SecurityUtils.getSubject();</pre> 091 * 092 * @param securityManager the securityManager instance to set as a VM static singleton. 093 */ 094 public static void setSecurityManager(SecurityManager securityManager) { 095 SecurityUtils.securityManager = securityManager; 096 } 097 098 /** 099 * Returns the SecurityManager accessible to the calling code. 100 * <p/> 101 * This implementation favors acquiring a thread-bound {@code SecurityManager} if it can find one. If one is 102 * not available to the executing thread, it will attempt to use the static singleton if available (see the 103 * {@link #setSecurityManager setSecurityManager} method for more on the static singleton). 104 * <p/> 105 * If neither the thread-local or static singleton instances are available, this method throws an 106 * {@code UnavailableSecurityManagerException} to indicate an error - a SecurityManager should always be accessible 107 * to calling code in an application. If it is not, it is likely due to a Shiro configuration problem. 108 * 109 * @return the SecurityManager accessible to the calling code. 110 * @throws UnavailableSecurityManagerException 111 * if there is no {@code SecurityManager} instance available to the 112 * calling code, which typically indicates an invalid application configuration. 113 */ 114 public static SecurityManager getSecurityManager() throws UnavailableSecurityManagerException { 115 SecurityManager securityManager = ThreadContext.getSecurityManager(); 116 if (securityManager == null) { 117 securityManager = SecurityUtils.securityManager; 118 } 119 if (securityManager == null) { 120 String msg = "No SecurityManager accessible to the calling code, either bound to the " + 121 ThreadContext.class.getName() + " or as a vm static singleton. This is an invalid application " + 122 "configuration."; 123 throw new UnavailableSecurityManagerException(msg); 124 } 125 return securityManager; 126 } 127}