Class DefaultSecurityManager

  • All Implemented Interfaces:
    Authenticator, Authorizer, CacheManagerAware, EventBusAware, SecurityManager, SessionManager, Destroyable
    Direct Known Subclasses:

    public class DefaultSecurityManager
    extends SessionsSecurityManager
    The Shiro framework's default concrete implementation of the SecurityManager interface, based around a collection of Realms. This implementation delegates its authentication, authorization, and session operations to wrapped Authenticator, Authorizer, and SessionManager instances respectively via superclass implementation.

    To greatly reduce and simplify configuration, this implementation (and its superclasses) will create suitable defaults for all of its required dependencies, except the required one or more Realms. Because Realm implementations usually interact with an application's data model, they are almost always application specific; you will want to specify at least one custom Realm implementation that 'knows' about your application's data/security model (via RealmSecurityManager.setRealm(org.apache.shiro.realm.Realm) or one of the overloaded constructors). All other attributes in this class hierarchy will have suitable defaults for most enterprise applications.

    RememberMe notice: This class supports the ability to configure a RememberMeManager for RememberMe identity services for login/logout, BUT, a default instance will not be created for this attribute at startup.

    Because RememberMe services are inherently client tier-specific and therefore aplication-dependent, if you want RememberMe services enabled, you will have to specify an instance yourself via the setRememberMeManager mutator. However if you're reading this JavaDoc with the expectation of operating in a Web environment, take a look at the org.apache.shiro.web.DefaultWebSecurityManager implementation, which does support RememberMe services by default at startup.