Session Management
Shiro provides a complete enterprise-level session management function, independent from the underlying container (such as a web container tomcat), regardless of JavaSE or JavaEE environment can be used to provide session management, session event listener, session storage / persistence, independent of the vessel cluster, failure / expiration support, transparent support for the Web, SSO single sign-on support and other features. Shiro used directly session management can be replaced as Web session management container directly.
Conversation
Who called the session, that relations have maintained a connection when the user accesses the application, the application can identify multiple interactions in the current access users are, and you can save some data in multiple interaction. After such a successful login to access some sites, the site can remember user, and before the exit can identify who the current user Yes.
Shiro's session support not only can be used in ordinary JavaSE applications, it can also be used in JavaEE applications, such as web applications. And use the same.
Shiro which can be found in all of the user's session information will be controlled by Shiro, so long as that is all process information related to the user's operation can be achieved by Shiro, Shiro's session actually can obtain the HttpSession memory the value of all this information can be made via the interface Subject.
Common API:
Subject.getSession () ----- get Shiro's session session.setAttribute(key,val) & session.getAttribute(key) & session.removeAttribute(key) session.getId () ------ acquired session ID session.getTimeout () & session.setTimeout (ms) ------- Set / get the current Session of the expiration time. session.getStartTimestamp () & session.getLastAccessTime () -------- acquisition start time of the session and last access time session.stop () ------ Subject.logout () will automatically call session.stop ().
If you want to manage session, be sure to regularly free up space, so this time necessarily need to be completed before the timing element.
<dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-quartz</artifactId> <version>1.2.2</version> </dependency>
shiro-single.xml
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd"> <! - This id web.xml bean and the consistent configuration shiro -> < the bean id = "shiroFilter" class = "org.apache.shiro.spring.web.ShiroFilterFactoryBean" > < Property name = "securityManager " ref =" securityManager " /> <-! after not certified redirected location -> < Property name =" loginUrl " value =" / Actions / the Login " /> <-! login is successful in a jump - -> < Property name = "successUrl" value = "/ the home.jsp"/> <! - do not have permission to jump location -> < Property name = "unauthorizedUrl" value = "/ unauthorized.jsp" /> <-! Intercepts the request -> < Property name = "filterChainDefinitions" > < value > <-! Login request is not intercepted -> /actions/security/login = anon <! - access to admin-related requests, require certification, And through custom interceptor permissionFilter, the last also need permission coder -> /actions/admin/** = authc,permissionFilter,roles[coder] /actions/obtainAllUsers = user /actions/logout = logout /actions/** = authc </value> </property> <!-- 用户自定义的过滤器 --> <property name="filters"> <map> <entry key="permissionFilter" value-ref="userAccessControlFilter"/> </map> </property> </bean> <!-- 自定义Realm --> <bean id="userRealm" class="com.jay.shiro.UserRealm"/> <!-- securityManager 对象--> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <!-- 引入UserRealm --> <property name="realm" ref="userRealm"/> <!-- 引入记住我管理器--> <property name="rememberMeManager" ref="rememberMeManager"/> <!-- 引入sessionManager--> <property name="sessionManager" ref="sessionManager"/> </bean> <! - Session Manager, the time in milliseconds -> < the bean ID = "SessionManager" class = "org.apache.shiro.web.session.mgt.DefaultWebSessionManager" > <! - remove the URL of the JSESSIONID - -> < Property name = "sessionIdUrlRewritingEnabled" value = "to false" /> <-! session survival time (ms) -> < Property name = "globalSessionTimeout" value = "200000" /> <-! 10 minutes - -> <! - whether to remove invalid the session -> <property name= "deleteInvalidSessions" value = "to true" /> <-! scanning session threads, responsible for cleaning up the timeout session -> < Property name = "sessionValidationSchedulerEnabled" value = "to true" /> <-! using QuartZ components regular cleaning -> < Property name = "sessionValidationScheduler" ref = "sessionValidationScheduler" /> <-! the session need to use the session cookie templates -> < Property name = "sessionIdCookieEnabled" value = "to true" /> <property name="sessionIdCookie"REF = "sessionIdCookie" /> <-! implementation class of the session changes, additions or deletions investigation wrong -> < Property name = "sessionDAO" REF = "sessionDAO" /> </ the bean > <! - Session authentication scheduler, time in milliseconds -> < the bean ID = "sessionValidationScheduler" class = "org.apache.shiro.session.mgt.quartz.QuartzSessionValidationScheduler" > < Property name = "sessionValidationInterval" value = "30000" /> < Property name = "SessionManager" REF = "SessionManager" /> </ the bean > <!-- 会话 ID 生成器 --> <bean id="sessionIdGenerator" class="org.apache.shiro.session.mgt.eis.JavaUuidSessionIdGenerator"/> <!-- 会话读写实现类--> <bean id="sessionDAO" class="org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO"> <property name="activeSessionsCacheName" value="shiro-activeSessionCache"/> <property name="sessionIdGenerator" ref="sessionIdGenerator"/> </bean> <! - Session Cookie template -> < bean the above mentioned id = "sessionIdCookie" class = "org.apache.shiro.web.servlet.SimpleCookie" > < constructor-Arg value = "sid" /> < Property name = "httpOnly " value =" to true " /> <-! the maxAge = -1 indicates failure when the browser closes this Cookie -> < Property name =" the maxAge " value =" -. 1 " /> </ the bean > <! - rememberMeCookie: remembering my Cookie, 30 Tian long time to save -> <bean id="rememberMeCookie" class="org.apache.shiro.web.servlet.SimpleCookie"> <constructor-arg value="rememberMe"/> <property name="httpOnly" value="true"/> <property name="maxAge" value="2592000"/><!-- 30天 --> </bean> <!-- rememberMe管理器 --> <bean id="rememberMeManager" class="org.apache.shiro.web.mgt.CookieRememberMeManager"> <property name="cipherKey" value="#{T(org.apache.shiro.codec.Base64).decode('4AvVhmFLUs0KTA3Kprsdag==')}"/> <property name="cookie" ref="rememberMeCookie"/> </bean> <-! Shiro lifecycle processor ,, shiro ensure the implementation of the internal implementation of the life cycle methods bean -> < bean ID = "lifecycleBeanPostProcessor" class = "org.apache.shiro.spring.LifecycleBeanPostProcessor" /> </beans>
Incorporated in the spring shiro-single.xml
<! - introducing profile shiro -> < Import Resource = "shiro-single.xml" />
Pass a value at the time of landing, to get from the session after landing
Then click on "Admin page to enter the" super link, send back the relevant request. Controller this request background processing which, using the acquired Shiro Shiro the Session session, to try to obtain a value for the Key "abc" key-value pairs. In the console print out "def", explained conversation session Shiro able to provide proper access to key-value pairs from the HttpSession. It also shows that this integrated Shiro successful session.