View Javadoc
1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied.  See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.shiro;
20  
21  import org.apache.shiro.mgt.SecurityManager;
22  import org.apache.shiro.subject.Subject;
23  import org.apache.shiro.util.ThreadContext;
24  
25  
26  /**
27   * Accesses the currently accessible {@code Subject} for the calling code depending on runtime environment.
28   *
29   * @since 0.2
30   */
31  public abstract class SecurityUtils {
32  
33      /**
34       * ONLY used as a 'backup' in VM Singleton environments (that is, standalone environments), since the
35       * ThreadContext should always be the primary source for Subject instances when possible.
36       */
37      private static volatile SecurityManager securityManager;
38  
39      /**
40       * Returns the currently accessible {@code Subject} available to the calling code depending on
41       * runtime environment.
42       * <p/>
43       * This method is provided as a way of obtaining a {@code Subject} without having to resort to
44       * implementation-specific methods.  It also allows the Shiro team to change the underlying implementation of
45       * this method in the future depending on requirements/updates without affecting your code that uses it.
46       *
47       * @return the currently accessible {@code Subject} accessible to the calling code.
48       * @throws IllegalStateException if no {@link Subject Subject} instance or
49       *                               {@link SecurityManager SecurityManager} instance is available with which to obtain
50       *                               a {@code Subject}, which which is considered an invalid application configuration
51       *                               - a Subject should <em>always</em> be available to the caller.
52       */
53      public static Subject getSubject() {
54          Subject subject = ThreadContext.getSubject();
55          if (subject == null) {
56              subject = (new Subject.Builder()).buildSubject();
57              ThreadContext.bind(subject);
58          }
59          return subject;
60      }
61  
62      /**
63       * Sets a VM (static) singleton SecurityManager, specifically for transparent use in the
64       * {@link #getSubject() getSubject()} implementation.
65       * <p/>
66       * <b>This method call exists mainly for framework development support.  Application developers should rarely,
67       * if ever, need to call this method.</b>
68       * <p/>
69       * The Shiro development team prefers that SecurityManager instances are non-static application singletons
70       * and <em>not</em> VM static singletons.  Application singletons that do not use static memory require some sort
71       * of application configuration framework to maintain the application-wide SecurityManager instance for you
72       * (for example, Spring or EJB3 environments) such that the object reference does not need to be static.
73       * <p/>
74       * In these environments, Shiro acquires Subject data based on the currently executing Thread via its own
75       * framework integration code, and this is the preferred way to use Shiro.
76       * <p/>
77       * However in some environments, such as a standalone desktop application or Applets that do not use Spring or
78       * EJB or similar config frameworks, a VM-singleton might make more sense (although the former is still preferred).
79       * In these environments, setting the SecurityManager via this method will automatically enable the
80       * {@link #getSubject() getSubject()} call to function with little configuration.
81       * <p/>
82       * For example, in these environments, this will work:
83       * <pre>
84       * DefaultSecurityManager securityManager = new {@link org.apache.shiro.mgt.DefaultSecurityManager DefaultSecurityManager}();
85       * securityManager.setRealms( ... ); //one or more Realms
86       * <b>SecurityUtils.setSecurityManager( securityManager );</b></pre>
87       * <p/>
88       * And then anywhere in the application code, the following call will return the application's Subject:
89       * <pre>
90       * Subject currentUser = SecurityUtils.getSubject();</pre>
91       *
92       * @param securityManager the securityManager instance to set as a VM static singleton.
93       */
94      public static void setSecurityManager(SecurityManager securityManager) {
95          SecurityUtils.securityManager = securityManager;
96      }
97  
98      /**
99       * Returns the SecurityManager accessible to the calling code.
100      * <p/>
101      * This implementation favors acquiring a thread-bound {@code SecurityManager} if it can find one.  If one is
102      * not available to the executing thread, it will attempt to use the static singleton if available (see the
103      * {@link #setSecurityManager setSecurityManager} method for more on the static singleton).
104      * <p/>
105      * If neither the thread-local or static singleton instances are available, this method throws an
106      * {@code UnavailableSecurityManagerException} to indicate an error - a SecurityManager should always be accessible
107      * to calling code in an application. If it is not, it is likely due to a Shiro configuration problem.
108      *
109      * @return the SecurityManager accessible to the calling code.
110      * @throws UnavailableSecurityManagerException if there is no {@code SecurityManager} instance available to the
111      *                                             calling code, which typically indicates an invalid application configuration.
112      */
113     public static SecurityManager getSecurityManager() throws UnavailableSecurityManagerException {
114         SecurityManager securityManager = ThreadContext.getSecurityManager();
115         if (securityManager == null) {
116             securityManager = SecurityUtils.securityManager;
117         }
118         if (securityManager == null) {
119             String msg = "No SecurityManager accessible to the calling code, either bound to the "
120                     + ThreadContext.class.getName() + " or as a vm static singleton.  This is an invalid application "
121                     + "configuration.";
122             throw new UnavailableSecurityManagerException(msg);
123         }
124         return securityManager;
125     }
126 }