View Javadoc
1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied.  See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.shiro.web.mgt;
20  
21  import org.apache.shiro.mgt.DefaultSessionStorageEvaluator;
22  import org.apache.shiro.session.mgt.NativeSessionManager;
23  import org.apache.shiro.session.mgt.SessionManager;
24  import org.apache.shiro.subject.Subject;
25  import org.apache.shiro.web.subject.WebSubject;
26  import org.apache.shiro.web.util.WebUtils;
27  
28  /**
29   * A web-specific {@code SessionStorageEvaluator} that performs the same logic as the parent class
30   * {@link DefaultSessionStorageEvaluator} but additionally checks for a request-specific flag that may enable or
31   * disable session access.
32   * <p/>
33   * This implementation usually works in conjunction with the
34   * {@link org.apache.shiro.web.filter.session.NoSessionCreationFilter}:  If the {@code NoSessionCreationFilter}
35   * is configured in a filter chain, that filter will set a specific
36   * {@code ServletRequest} {@link javax.servlet.ServletRequest#setAttribute attribute} indicating that session creation
37   * should be disabled.
38   * <p/>
39   * This {@code DefaultWebSessionStorageEvaluator} will then inspect this attribute, and if it has been set, will return
40   * {@code false} from {@link #isSessionStorageEnabled(org.apache.shiro.subject.Subject)} method, thereby preventing
41   * Shiro from creating a session for the purpose of storing subject state.
42   * <p/>
43   * If the request attribute has
44   * not been set (i.e. the {@code NoSessionCreationFilter} is not configured or has been disabled), this class does
45   * nothing and delegates to the parent class for existing behavior.
46   *
47   * @since 1.2
48   */
49  public class DefaultWebSessionStorageEvaluator extends DefaultSessionStorageEvaluator {
50  
51      //since 1.2.1
52      private SessionManager sessionManager;
53  
54      /**
55       * Sets the session manager to use when checking to see if session storage is possible.
56       *
57       * @param sessionManager the session manager instance for checking.
58       * @since 1.2.1
59       */
60      //package protected on purpose to maintain point-version compatibility: (1.2.3 -> 1.2.1 should work always).
61      void setSessionManager(SessionManager sessionManager) {
62          this.sessionManager = sessionManager;
63      }
64  
65      /**
66       * Returns {@code true} if session storage is generally available (as determined by the super class's global
67       * configuration property {@link #isSessionStorageEnabled()} and no request-specific override has turned off
68       * session storage, {@code false} otherwise.
69       * <p/>
70       * This means session storage is disabled if the {@link #isSessionStorageEnabled()} property is {@code false} or if
71       * a request attribute is discovered that turns off session storage for the current request.
72       *
73       * @param subject the {@code Subject} for which session state persistence may be enabled
74       * @return {@code true} if session storage is generally available (as determined by the super class's global
75       * configuration property {@link #isSessionStorageEnabled()} and no request-specific override has turned off
76       * session storage, {@code false} otherwise.
77       */
78      @SuppressWarnings({"SimplifiableIfStatement"})
79      @Override
80      public boolean isSessionStorageEnabled(Subject subject) {
81          if (subject.getSession(false) != null) {
82              //use what already exists
83              return true;
84          }
85  
86          if (!isSessionStorageEnabled()) {
87              //honor global setting:
88              return false;
89          }
90  
91          //SHIRO-350: non-web subject instances can't be saved to web-only session managers:
92          //since 1.2.1:
93          if (!(subject instanceof WebSubject)
94                  && (this.sessionManager != null && !(this.sessionManager instanceof NativeSessionManager))) {
95              return false;
96          }
97  
98          return WebUtils.isSessionCreationEnabled(subject);
99      }
100 
101 }