001    /*
002     * Licensed to the Apache Software Foundation (ASF) under one
003     * or more contributor license agreements.  See the NOTICE file
004     * distributed with this work for additional information
005     * regarding copyright ownership.  The ASF licenses this file
006     * to you under the Apache License, Version 2.0 (the
007     * "License"); you may not use this file except in compliance
008     * with the License.  You may obtain a copy of the License at
009     *
010     *     http://www.apache.org/licenses/LICENSE-2.0
011     *
012     * Unless required by applicable law or agreed to in writing,
013     * software distributed under the License is distributed on an
014     * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015     * KIND, either express or implied.  See the License for the
016     * specific language governing permissions and limitations
017     * under the License.
018     */
019    package org.apache.shiro.web.mgt;
020    
021    import org.apache.shiro.mgt.DefaultSessionStorageEvaluator;
022    import org.apache.shiro.session.mgt.NativeSessionManager;
023    import org.apache.shiro.session.mgt.SessionManager;
024    import org.apache.shiro.subject.Subject;
025    import org.apache.shiro.web.subject.WebSubject;
026    import org.apache.shiro.web.util.WebUtils;
027    
028    /**
029     * A web-specific {@code SessionStorageEvaluator} that performs the same logic as the parent class
030     * {@link DefaultSessionStorageEvaluator} but additionally checks for a request-specific flag that may enable or
031     * disable session access.
032     * <p/>
033     * This implementation usually works in conjunction with the
034     * {@link org.apache.shiro.web.filter.session.NoSessionCreationFilter}:  If the {@code NoSessionCreationFilter}
035     * is configured in a filter chain, that filter will set a specific
036     * {@code ServletRequest} {@link javax.servlet.ServletRequest#setAttribute attribute} indicating that session creation
037     * should be disabled.
038     * <p/>
039     * This {@code DefaultWebSessionStorageEvaluator} will then inspect this attribute, and if it has been set, will return
040     * {@code false} from {@link #isSessionStorageEnabled(org.apache.shiro.subject.Subject)} method, thereby preventing
041     * Shiro from creating a session for the purpose of storing subject state.
042     * <p/>
043     * If the request attribute has
044     * not been set (i.e. the {@code NoSessionCreationFilter} is not configured or has been disabled), this class does
045     * nothing and delegates to the parent class for existing behavior.
046     *
047     * @since 1.2
048     */
049    public class DefaultWebSessionStorageEvaluator extends DefaultSessionStorageEvaluator {
050    
051        //since 1.2.1
052        private SessionManager sessionManager;
053    
054        /**
055         * Sets the session manager to use when checking to see if session storage is possible.
056         * @param sessionManager the session manager instance for checking.
057         * @since 1.2.1
058         */
059        //package protected on purpose to maintain point-version compatibility: (1.2.3 -> 1.2.1 should work always).
060        void setSessionManager(SessionManager sessionManager) {
061            this.sessionManager = sessionManager;
062        }
063    
064        /**
065         * Returns {@code true} if session storage is generally available (as determined by the super class's global
066         * configuration property {@link #isSessionStorageEnabled()} and no request-specific override has turned off
067         * session storage, {@code false} otherwise.
068         * <p/>
069         * This means session storage is disabled if the {@link #isSessionStorageEnabled()} property is {@code false} or if
070         * a request attribute is discovered that turns off session storage for the current request.
071         *
072         * @param subject the {@code Subject} for which session state persistence may be enabled
073         * @return {@code true} if session storage is generally available (as determined by the super class's global
074         *         configuration property {@link #isSessionStorageEnabled()} and no request-specific override has turned off
075         *         session storage, {@code false} otherwise.
076         */
077        @SuppressWarnings({"SimplifiableIfStatement"})
078        @Override
079        public boolean isSessionStorageEnabled(Subject subject) {
080            if (subject.getSession(false) != null) {
081                //use what already exists
082                return true;
083            }
084    
085            if (!isSessionStorageEnabled()) {
086                //honor global setting:
087                return false;
088            }
089    
090            //SHIRO-350: non-web subject instances can't be saved to web-only session managers:
091            //since 1.2.1:
092            if (!(subject instanceof WebSubject) && (this.sessionManager != null && !(this.sessionManager instanceof NativeSessionManager))) {
093                return false;
094            }
095    
096            return WebUtils._isSessionCreationEnabled(subject);
097        }
098    
099    
100    }