org.apache.shiro.session.mgt
Class AbstractValidatingSessionManager

java.lang.Object
  extended by org.apache.shiro.session.mgt.AbstractSessionManager
      extended by org.apache.shiro.session.mgt.AbstractNativeSessionManager
          extended by org.apache.shiro.session.mgt.AbstractValidatingSessionManager
All Implemented Interfaces:
NativeSessionManager, SessionManager, ValidatingSessionManager, Destroyable
Direct Known Subclasses:
DefaultSessionManager

public abstract class AbstractValidatingSessionManager
extends AbstractNativeSessionManager
implements ValidatingSessionManager, Destroyable

Default business-tier implementation of the ValidatingSessionManager interface.

Since:
0.1

Field Summary
static long DEFAULT_SESSION_VALIDATION_INTERVAL
          The default interval at which sessions will be validated (1 hour); This can be overridden by calling setSessionValidationInterval(long)
protected  long sessionValidationInterval
           
protected  SessionValidationScheduler sessionValidationScheduler
          Scheduler used to validate sessions on a regular basis.
protected  boolean sessionValidationSchedulerEnabled
           
 
Fields inherited from class org.apache.shiro.session.mgt.AbstractSessionManager
DEFAULT_GLOBAL_SESSION_TIMEOUT, MILLIS_PER_HOUR, MILLIS_PER_MINUTE, MILLIS_PER_SECOND
 
Constructor Summary
AbstractValidatingSessionManager()
           
 
Method Summary
protected  void afterExpired(Session session)
           
protected  void afterSessionValidationEnabled()
           
protected  void beforeSessionValidationDisabled()
           
protected  Session createSession(SessionContext context)
          Creates a new Session Session instance based on the specified (possibly null) initialization data.
protected  SessionValidationScheduler createSessionValidationScheduler()
           
 void destroy()
          Called when this object is being destroyed, allowing any necessary cleanup of internal resources.
protected  void disableSessionValidation()
           
protected abstract  Session doCreateSession(SessionContext initData)
           
protected  Session doGetSession(SessionKey key)
           
protected  void doValidate(Session session)
           
protected  void enableSessionValidation()
           
protected abstract  Collection<Session> getActiveSessions()
           
 long getSessionValidationInterval()
           
 SessionValidationScheduler getSessionValidationScheduler()
           
protected  long getTimeout(Session session)
          Subclass template hook in case per-session timeout is not based on Session.getTimeout().
 boolean isSessionValidationSchedulerEnabled()
           
protected  void onExpiration(Session session)
           
protected  void onExpiration(Session s, ExpiredSessionException ese, SessionKey key)
           
protected  void onInvalidation(Session s, InvalidSessionException ise, SessionKey key)
           
protected abstract  Session retrieveSession(SessionKey key)
          Looks up a session from the underlying data store based on the specified session key.
 void setSessionValidationInterval(long sessionValidationInterval)
          If using the underlying default SessionValidationScheduler (that is, the setSessionValidationScheduler method is never called) , this method allows one to specify how frequently session should be validated (to check for orphans).
 void setSessionValidationScheduler(SessionValidationScheduler sessionValidationScheduler)
           
 void setSessionValidationSchedulerEnabled(boolean sessionValidationSchedulerEnabled)
           
protected  void validate(Session session, SessionKey key)
           
 void validateSessions()
          Performs session validation for all open/active sessions in the system (those that have not been stopped or expired), and validates each one.
 
Methods inherited from class org.apache.shiro.session.mgt.AbstractNativeSessionManager
afterStopped, applyGlobalSessionTimeout, beforeInvalidNotification, checkValid, createExposedSession, createExposedSession, getAttribute, getAttributeKeys, getHost, getLastAccessTime, getSession, getSessionListeners, getStartTimestamp, getTimeout, isValid, notifyExpiration, notifyStart, notifyStop, onChange, onStart, onStop, onStop, removeAttribute, setAttribute, setSessionListeners, setTimeout, start, stop, touch
 
Methods inherited from class org.apache.shiro.session.mgt.AbstractSessionManager
getGlobalSessionTimeout, setGlobalSessionTimeout
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 
Methods inherited from interface org.apache.shiro.session.mgt.SessionManager
getSession, start
 

Field Detail

DEFAULT_SESSION_VALIDATION_INTERVAL

public static final long DEFAULT_SESSION_VALIDATION_INTERVAL
The default interval at which sessions will be validated (1 hour); This can be overridden by calling setSessionValidationInterval(long)

See Also:
Constant Field Values

sessionValidationSchedulerEnabled

protected boolean sessionValidationSchedulerEnabled

sessionValidationScheduler

protected SessionValidationScheduler sessionValidationScheduler
Scheduler used to validate sessions on a regular basis.


sessionValidationInterval

protected long sessionValidationInterval
Constructor Detail

AbstractValidatingSessionManager

public AbstractValidatingSessionManager()
Method Detail

isSessionValidationSchedulerEnabled

public boolean isSessionValidationSchedulerEnabled()

setSessionValidationSchedulerEnabled

public void setSessionValidationSchedulerEnabled(boolean sessionValidationSchedulerEnabled)

setSessionValidationScheduler

public void setSessionValidationScheduler(SessionValidationScheduler sessionValidationScheduler)

getSessionValidationScheduler

public SessionValidationScheduler getSessionValidationScheduler()

setSessionValidationInterval

public void setSessionValidationInterval(long sessionValidationInterval)
If using the underlying default SessionValidationScheduler (that is, the setSessionValidationScheduler method is never called) , this method allows one to specify how frequently session should be validated (to check for orphans). The default value is DEFAULT_SESSION_VALIDATION_INTERVAL.

If you override the default scheduler, it is assumed that overriding instance 'knows' how often to validate sessions, and this attribute will be ignored.

Unless this method is called, the default value is DEFAULT_SESSION_VALIDATION_INTERVAL.

Parameters:
sessionValidationInterval - the time in milliseconds between checking for valid sessions to reap orphans.

getSessionValidationInterval

public long getSessionValidationInterval()

doGetSession

protected final Session doGetSession(SessionKey key)
                              throws InvalidSessionException
Specified by:
doGetSession in class AbstractNativeSessionManager
Throws:
InvalidSessionException

retrieveSession

protected abstract Session retrieveSession(SessionKey key)
                                    throws UnknownSessionException
Looks up a session from the underlying data store based on the specified session key.

Parameters:
key - the session key to use to look up the target session.
Returns:
the session identified by sessionId.
Throws:
UnknownSessionException - if there is no session identified by sessionId.

createSession

protected Session createSession(SessionContext context)
                         throws AuthorizationException
Description copied from class: AbstractNativeSessionManager
Creates a new Session Session instance based on the specified (possibly null) initialization data. Implementing classes must manage the persistent state of the returned session such that it could later be acquired via the AbstractNativeSessionManager.getSession(SessionKey) method.

Specified by:
createSession in class AbstractNativeSessionManager
Parameters:
context - the initialization data that can be used by the implementation or underlying SessionFactory when instantiating the internal Session instance.
Returns:
the new Session instance.
Throws:
HostUnauthorizedException - if the system access control policy restricts access based on client location/IP and the specified hostAddress hasn't been enabled.
AuthorizationException - if the system access control policy does not allow the currently executing caller to start sessions.

doCreateSession

protected abstract Session doCreateSession(SessionContext initData)
                                    throws AuthorizationException
Throws:
AuthorizationException

validate

protected void validate(Session session,
                        SessionKey key)
                 throws InvalidSessionException
Throws:
InvalidSessionException

onExpiration

protected void onExpiration(Session s,
                            ExpiredSessionException ese,
                            SessionKey key)

onExpiration

protected void onExpiration(Session session)

afterExpired

protected void afterExpired(Session session)

onInvalidation

protected void onInvalidation(Session s,
                              InvalidSessionException ise,
                              SessionKey key)

doValidate

protected void doValidate(Session session)
                   throws InvalidSessionException
Throws:
InvalidSessionException

getTimeout

protected long getTimeout(Session session)
Subclass template hook in case per-session timeout is not based on Session.getTimeout().

This implementation merely returns Session.getTimeout()

Parameters:
session - the session for which to determine session timeout.
Returns:
the time in milliseconds the specified session may remain idle before expiring.

createSessionValidationScheduler

protected SessionValidationScheduler createSessionValidationScheduler()

enableSessionValidation

protected void enableSessionValidation()

afterSessionValidationEnabled

protected void afterSessionValidationEnabled()

disableSessionValidation

protected void disableSessionValidation()

beforeSessionValidationDisabled

protected void beforeSessionValidationDisabled()

destroy

public void destroy()
Description copied from interface: Destroyable
Called when this object is being destroyed, allowing any necessary cleanup of internal resources.

Specified by:
destroy in interface Destroyable

validateSessions

public void validateSessions()
Description copied from interface: ValidatingSessionManager
Performs session validation for all open/active sessions in the system (those that have not been stopped or expired), and validates each one. If a session is found to be invalid (e.g. it has expired), it is updated and saved to the EIS.

This method is necessary in order to handle orphaned sessions and is expected to be run at a regular interval, such as once an hour, once a day or once a week, etc. The "best" frequency to run this method is entirely dependent upon the application and would be based on factors such as performance, average number of active users, hours of least activity, and other things.

Most enterprise applications use a request/response programming model. This is obvious in the case of web applications due to the HTTP protocol, but it is equally true of remote client applications making remote method invocations. The server essentially sits idle and only "works" when responding to client requests and/or method invocations. This type of model is particularly efficent since it means the security system only has to validate a session during those cases. Such "lazy" behavior enables the system to lie stateless and/or idle and only incur overhead for session validation when necessary.

However, if a client forgets to log-out, or in the event of a server failure, it is possible for sessions to be orphaned since no further requests would utilize that session. Because of these lower-probability cases, it might be required to regularly clean-up the sessions maintained by the system, especially if sessions are backed by a persistent data store.

Even in applications that aren't primarily based on a request/response model, such as those that use enterprise asynchronous messaging (where data is pushed to a client without first receiving a client request), it is almost always acceptable to utilize this lazy approach and run this method at defined interval.

Systems that want to proactively validate individual sessions may simply call the getSession(SessionKey) method on any ValidatingSessionManager instance as that method is expected to validate the session before retrieving it. Note that even with proactive calls to getSession, this validateSessions() method should be invoked regularly anyway to guarantee no orphans exist.

Note: Shiro supports automatic execution of this method at a regular interval by using SessionValidationSchedulers. The Shiro default SecurityManager implementations needing session validation will create and use one by default if one is not provided by the application configuration.

Specified by:
validateSessions in interface ValidatingSessionManager
See Also:
ValidatingSessionManager.validateSessions()

getActiveSessions

protected abstract Collection<Session> getActiveSessions()


Copyright © 2004-2014 The Apache Software Foundation. All Rights Reserved.