001    /*
002     * Licensed to the Apache Software Foundation (ASF) under one
003     * or more contributor license agreements.  See the NOTICE file
004     * distributed with this work for additional information
005     * regarding copyright ownership.  The ASF licenses this file
006     * to you under the Apache License, Version 2.0 (the
007     * "License"); you may not use this file except in compliance
008     * with the License.  You may obtain a copy of the License at
009     *
010     *     http://www.apache.org/licenses/LICENSE-2.0
011     *
012     * Unless required by applicable law or agreed to in writing,
013     * software distributed under the License is distributed on an
014     * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015     * KIND, either express or implied.  See the License for the
016     * specific language governing permissions and limitations
017     * under the License.
018     */
019    package org.apache.shiro.session.mgt;
020    
021    /**
022     * A ValidatingSessionManager is a SessionManager that can proactively validate any or all sessions
023     * that may be expired.
024     *
025     * @since 0.1
026     */
027    public interface ValidatingSessionManager extends SessionManager {
028    
029        /**
030         * Performs session validation for all open/active sessions in the system (those that
031         * have not been stopped or expired), and validates each one.  If a session is
032         * found to be invalid (e.g. it has expired), it is updated and saved to the EIS.
033         * <p/>
034         * This method is necessary in order to handle orphaned sessions and is expected to be run at
035         * a regular interval, such as once an hour, once a day or once a week, etc.
036         * The &quot;best&quot; frequency to run this method is entirely dependent upon the application
037         * and would be based on factors such as performance, average number of active users, hours of
038         * least activity, and other things.
039         * <p/>
040         * Most enterprise applications use a request/response programming model.
041         * This is obvious in the case of web applications due to the HTTP protocol, but it is
042         * equally true of remote client applications making remote method invocations.  The server
043         * essentially sits idle and only &quot;works&quot; when responding to client requests and/or
044         * method invocations.  This type of model is particularly efficent since it means the
045         * security system only has to validate a session during those cases.  Such
046         * &quot;lazy&quot; behavior enables the system to lie stateless and/or idle and only incur
047         * overhead for session validation when necessary.
048         * <p/>
049         * However, if a client forgets to log-out, or in the event of a server failure, it is
050         * possible for sessions to be orphaned since no further requests would utilize that session.
051         * Because of these lower-probability cases, it might be required to regularly clean-up the sessions
052         * maintained by the system, especially if sessions are backed by a persistent data store.
053         * <p/>
054         * Even in applications that aren't primarily based on a request/response model,
055         * such as those that use enterprise asynchronous messaging (where data is pushed to
056         * a client without first receiving a client request), it is almost always acceptable to
057         * utilize this lazy approach and run this method at defined interval.
058         * <p/>
059         * Systems that want to proactively validate individual sessions may simply call the
060         * {@link #getSession(SessionKey) getSession(SessionKey)} method on any
061         * {@code ValidatingSessionManager} instance as that method is expected to
062         * validate the session before retrieving it.  Note that even with proactive calls to {@code getSession},
063         * this {@code validateSessions()} method should be invoked regularly anyway to <em>guarantee</em> no
064         * orphans exist.
065         * <p/>
066         * <b>Note:</b> Shiro supports automatic execution of this method at a regular interval
067         * by using {@link SessionValidationScheduler}s.  The Shiro default SecurityManager implementations
068         * needing session validation will create and use one by default if one is not provided by the
069         * application configuration.
070         */
071        void validateSessions();
072    }