001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing,
013 * software distributed under the License is distributed on an
014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015 * KIND, either express or implied.  See the License for the
016 * specific language governing permissions and limitations
017 * under the License.
018 */
019package org.apache.shiro.web.session.mgt;
020
021import org.apache.shiro.authz.AuthorizationException;
022import org.apache.shiro.session.Session;
023import org.apache.shiro.session.SessionException;
024import org.apache.shiro.session.mgt.SessionContext;
025import org.apache.shiro.session.mgt.SessionKey;
026import org.apache.shiro.web.session.HttpServletSession;
027import org.apache.shiro.web.util.WebUtils;
028
029import javax.servlet.ServletRequest;
030import javax.servlet.http.HttpServletRequest;
031import javax.servlet.http.HttpSession;
032
033
034/**
035 * SessionManager implementation providing {@link Session} implementations that are merely wrappers for the
036 * Servlet container's {@link HttpSession}.
037 * <p/>
038 * Despite its name, this implementation <em>does not</em> itself manage Sessions since the Servlet container
039 * provides the actual management support.  This class mainly exists to 'impersonate' a regular Shiro
040 * {@code SessionManager} so it can be pluggable into a normal Shiro configuration in a pure web application.
041 * <p/>
042 * Note that because this implementation relies on the {@link HttpSession HttpSession}, it is only functional in a
043 * servlet container - it is not capable of supporting Sessions for any clients other than those using the HTTP
044 * protocol.
045 * <p/>
046 * Therefore, if you need {@code Session} support for heterogeneous clients (e.g. web browsers,
047 * RMI clients, etc), use the {@link DefaultWebSessionManager DefaultWebSessionManager}
048 * instead.  The {@code DefaultWebSessionManager} supports both traditional web-based access as well as non web-based
049 * clients.
050 *
051 * @since 0.9
052 * @see DefaultWebSessionManager
053 */
054public class ServletContainerSessionManager implements WebSessionManager {
055
056    //TODO - complete JavaDoc
057
058    //TODO - read session timeout value from web.xml
059
060    public ServletContainerSessionManager() {
061    }
062
063    public Session start(SessionContext context) throws AuthorizationException {
064        return createSession(context);
065    }
066
067    public Session getSession(SessionKey key) throws SessionException {
068        if (!WebUtils.isHttp(key)) {
069            String msg = "SessionKey must be an HTTP compatible implementation.";
070            throw new IllegalArgumentException(msg);
071        }
072
073        HttpServletRequest request = WebUtils.getHttpRequest(key);
074
075        Session session = null;
076
077        HttpSession httpSession = request.getSession(false);
078        if (httpSession != null) {
079            session = createSession(httpSession, request.getRemoteHost());
080        }
081
082        return session;
083    }
084
085    private String getHost(SessionContext context) {
086        String host = context.getHost();
087        if (host == null) {
088            ServletRequest request = WebUtils.getRequest(context);
089            if (request != null) {
090                host = request.getRemoteHost();
091            }
092        }
093        return host;
094
095    }
096
097    /**
098     * @since 1.0
099     */
100    protected Session createSession(SessionContext sessionContext) throws AuthorizationException {
101        if (!WebUtils.isHttp(sessionContext)) {
102            String msg = "SessionContext must be an HTTP compatible implementation.";
103            throw new IllegalArgumentException(msg);
104        }
105
106        HttpServletRequest request = WebUtils.getHttpRequest(sessionContext);
107
108        HttpSession httpSession = request.getSession();
109
110        //SHIRO-240: DO NOT use the 'globalSessionTimeout' value here on the acquired session.
111        //see: https://issues.apache.org/jira/browse/SHIRO-240
112
113        String host = getHost(sessionContext);
114
115        return createSession(httpSession, host);
116    }
117
118    protected Session createSession(HttpSession httpSession, String host) {
119        return new HttpServletSession(httpSession, host);
120    }
121
122    /**
123     * This implementation always delegates to the servlet container for sessions, so this method returns
124     * {@code true} always.
125     *
126     * @return {@code true} always
127     * @since 1.2
128     */
129        public boolean isServletContainerSessions() {
130                return true;
131        }
132}