Shiro in Session Management
Shiro in Session two sources:
- Obtaining session Servlet container (such as Tomcat) a.
- Session management uses its own mechanism.
When we (yes, Shiro can be authenticated in a non-web environment) in a non-web environment, certainly the second.
On the web, it depends on the specific type of SessionManager.
Our common security manager is the DefaultWebSecurityManagerinheritance structure is as follows.
Comprising sessionManager properties of its parent class SessionsSecurityManager. The default is DefaultSessionManager.
By setting the session can be controlled to make shiro DefaultWebSessionManager.
Specific analysis is as follows:
We all know shiro through the filter to intercept a change request.
Inheritance filter as shown below:
OncePerRequestFilterIt calls doFilter method, which calls doFilterInternal.
AbstractShiroFilterDoFilterInternal sub-class implements this method. This approach continues to call doFilterInternal -> prepareServletRequest -> wrapServletRequest. wrapServletRequest this method, a method based on isHttpSessionMode securityManager employed to determine whether the domain session servlet container. (True: using servlet container session, false: using custom session).
public abstract class AbstractShiroFilter extends OncePerRequestFilter {
protected ServletRequest wrapServletRequest(HttpServletRequest orig) {
return new ShiroHttpServletRequest(orig, getServletContext(), isHttpSessions());
}
//......
}public class ShiroHttpServletRequest extends HttpServletRequestWrapper {
public HttpSession getSession(boolean create) {
HttpSession httpSession;
if (isHttpSessions()) {
httpSession = super.getSession(false);
if (httpSession == null && create) {
//Shiro 1.2: assert that creation is enabled (SHIRO-266):
if (WebUtils._isSessionCreationEnabled(this)) {
httpSession = super.getSession(create);
} else {
throw newNoSessionCreationException();
}
}
} else {
boolean existing = getSubject().getSession(false) != null;
if (this.session == null || !existing) {
Session shiroSession = getSubject().getSession(create);
if (shiroSession != null) {
this.session = new ShiroHttpSession(shiroSession, this, this.servletContext);
if (!existing) {
setAttribute(REFERENCED_SESSION_IS_NEW, Boolean.TRUE);
}
} else if (this.session != null) {
this.session = null;
}
}
httpSession = this.session;
}
return httpSession;
}
//......
}As can be seen, if isHttpSessionMode result is true, then the result will be called ShiroHttpServletRequest parent (HttpServletRequest) at getSession, which is the result of the servlet container.
However, if false, it will new ShiroHttpSessioncreate a custom shiro session.
So isHttpSessionMode result is how come it?
The method of implementing this class is DefaultWebSessionManager, it isHttpSessionMode method, determines its class sessionManager field. If sessionManager is a subclass of WebSessionManager, while its isServletContainerSessions method returns true, then the whole method returns true.
public class DefaultWebSecurityManager extends DefaultSecurityManager implements WebSecurityManager {
public boolean isHttpSessionMode() {
SessionManager sessionManager = getSessionManager();
return sessionManager instanceof WebSessionManager && ((WebSessionManager)sessionManager).isServletContainerSessions();
}
public SessionManager getSessionManager() {
return this.sessionManager;
}
//.....
}(Quite wound)
related articles: