org.apache.shiro.mgt
Class DefaultSubjectDAO

java.lang.Object
  extended by org.apache.shiro.mgt.DefaultSubjectDAO
All Implemented Interfaces:
SubjectDAO

public class DefaultSubjectDAO
extends Object
implements SubjectDAO

Default SubjectDAO implementation that stores Subject state in the Subject's Session by default (but this can be disabled - see below). The Subject instance can be re-created at a later time by first acquiring the associated Session (typically from a SessionManager) via a session ID or session key and then building a Subject instance from Session attributes.

Controlling how Sessions are used

Whether or not a Subject's Session is used or not to persist its own state is controlled on a per-Subject basis as determined by the configured sessionStorageEvaluator. The default Evaluator is a DefaultSessionStorageEvaluator, which supports enabling or disabling session usage for Subject persistence at a global level for all subjects (and defaults to allowing sessions to be used).

Disabling Session Persistence Entirely

Because the default SessionStorageEvaluator instance is a DefaultSessionStorageEvaluator, you can disable Session usage for Subject state entirely by configuring that instance directly, e.g.:
     ((DefaultSessionStorageEvaluator)sessionDAO.getSessionStorageEvaluator()).setSessionStorageEnabled(false);
 
or, for example, in shiro.ini:
     securityManager.subjectDAO.sessionStorageEvaluator.sessionStorageEnabled = false
 
but note: ONLY do this your application is 100% stateless and you DO NOT need subjects to be remembered across remote invocations, or in a web environment across HTTP requests.

Supporting Both Stateful and Stateless Subject paradigms

Perhaps your application needs to support a hybrid approach of both stateful and stateless Subjects: To support the hybrid per-Subject approach, you will need to create your own implementation of the SessionStorageEvaluator interface and configure it via the setSessionStorageEvaluator(SessionStorageEvaluator) method, or, with shiro.ini:
     myEvaluator = com.my.CustomSessionStorageEvaluator
     securityManager.subjectDAO.sessionStorageEvaluator = $myEvaluator
 

Unless overridden, the default evaluator is a DefaultSessionStorageEvaluator, which enables session usage for Subject state by default.

Since:
1.2
See Also:
isSessionStorageEnabled(org.apache.shiro.subject.Subject), SessionStorageEvaluator, DefaultSessionStorageEvaluator

Constructor Summary
DefaultSubjectDAO()
           
 
Method Summary
 void delete(Subject subject)
          Removes any existing subject state from the subject's session (if the session exists).
 SessionStorageEvaluator getSessionStorageEvaluator()
          Returns the SessionStorageEvaluator that will determine if a Subject's state may be persisted in the Subject's session.
protected  boolean isSessionStorageEnabled(Subject subject)
          Determines if the subject's session will be used to persist subject state or not.
protected  void mergeAuthenticationState(Subject subject)
          Merges the Subject's current authentication state with whatever may be in any available session.
protected  void mergePrincipals(Subject subject)
          Merges the Subject's current Subject.getPrincipals() with whatever may be in any available session.
protected  void removeFromSession(Subject subject)
          Removes any existing subject state from the Subject's session (if the session exists).
 Subject save(Subject subject)
          Saves the subject's state to the subject's session only if sessionStorageEnabled(subject).
protected  void saveToSession(Subject subject)
          Saves the subject's state (it's principals and authentication state) to its session.
 void setSessionStorageEvaluator(SessionStorageEvaluator sessionStorageEvaluator)
          Sets the SessionStorageEvaluator that will determine if a Subject's state may be persisted in the Subject's session.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

DefaultSubjectDAO

public DefaultSubjectDAO()
Method Detail

isSessionStorageEnabled

protected boolean isSessionStorageEnabled(Subject subject)
Determines if the subject's session will be used to persist subject state or not. This implementation merely delegates to the internal SessionStorageEvaluator (a DefaultSessionStorageEvaluator by default).

Parameters:
subject - the subject to inspect to determine if the subject's session will be used to persist subject state or not.
Returns:
true if the subject's session will be used to persist subject state, false otherwise.
See Also:
setSessionStorageEvaluator(SessionStorageEvaluator), DefaultSessionStorageEvaluator

getSessionStorageEvaluator

public SessionStorageEvaluator getSessionStorageEvaluator()
Returns the SessionStorageEvaluator that will determine if a Subject's state may be persisted in the Subject's session. The default instance is a DefaultSessionStorageEvaluator.

Returns:
the SessionStorageEvaluator that will determine if a Subject's state may be persisted in the Subject's session.
See Also:
DefaultSessionStorageEvaluator

setSessionStorageEvaluator

public void setSessionStorageEvaluator(SessionStorageEvaluator sessionStorageEvaluator)
Sets the SessionStorageEvaluator that will determine if a Subject's state may be persisted in the Subject's session. The default instance is a DefaultSessionStorageEvaluator.

Parameters:
sessionStorageEvaluator - the SessionStorageEvaluator that will determine if a Subject's state may be persisted in the Subject's session.
See Also:
DefaultSessionStorageEvaluator

save

public Subject save(Subject subject)
Saves the subject's state to the subject's session only if sessionStorageEnabled(subject). If session storage is not enabled for the specific Subject, this method does nothing.

In either case, the argument Subject is returned directly (a new Subject instance is not created).

Specified by:
save in interface SubjectDAO
Parameters:
subject - the Subject instance for which its state will be created or updated.
Returns:
the same Subject passed in (a new Subject instance is not created).

saveToSession

protected void saveToSession(Subject subject)
Saves the subject's state (it's principals and authentication state) to its session. The session can be retrieved at a later time (typically from a SessionManager to be used to recreate the Subject instance.

Parameters:
subject - the subject for which state will be persisted to its session.

mergePrincipals

protected void mergePrincipals(Subject subject)
Merges the Subject's current Subject.getPrincipals() with whatever may be in any available session. Only updates the Subject's session if the session does not match the current principals state.

Parameters:
subject - the Subject for which principals will potentially be merged into the Subject's session.

mergeAuthenticationState

protected void mergeAuthenticationState(Subject subject)
Merges the Subject's current authentication state with whatever may be in any available session. Only updates the Subject's session if the session does not match the current authentication state.

Parameters:
subject - the Subject for which principals will potentially be merged into the Subject's session.

removeFromSession

protected void removeFromSession(Subject subject)
Removes any existing subject state from the Subject's session (if the session exists). If the session does not exist, this method does not do anything.

Parameters:
subject - the subject for which any existing subject state will be removed from its session.

delete

public void delete(Subject subject)
Removes any existing subject state from the subject's session (if the session exists).

Specified by:
delete in interface SubjectDAO
Parameters:
subject - the Subject instance for which any persistent state should be deleted.


Copyright © 2004-2014 The Apache Software Foundation. All Rights Reserved.