Class DefaultSecurityManager
- All Implemented Interfaces:
Authenticator,Authorizer,org.apache.shiro.cache.CacheManagerAware,org.apache.shiro.event.EventBusAware,org.apache.shiro.lang.util.Destroyable,SecurityManager,SessionManager
The Shiro framework's default concrete implementation of the
SecurityManager interface,
based around a collection of Realms. This implementation delegates its
authentication, authorization, and session operations to wrapped Authenticator, Authorizer, and
SessionManager instances respectively via superclass
implementation.
To greatly reduce and simplify configuration, this implementation (and its superclasses) will
create suitable defaults for all of its required dependencies, except the required one or more
Realms. Because Realm implementations usually interact with an application's data model,
they are almost always application specific; you will want to specify at least one custom
Realm implementation that 'knows' about your application's data/security model
(via RealmSecurityManager.setRealm(org.apache.shiro.realm.Realm) or one of the overloaded constructors). All other attributes in this class hierarchy
will have suitable defaults for most enterprise applications.
RememberMe notice: This class supports the ability to configure a
RememberMeManager
for RememberMe identity services for login/logout, BUT, a default instance will not be created
for this attribute at startup.
Because RememberMe services are inherently client tier-specific and
therefore application-dependent, if you want RememberMe services enabled, you will have to specify an
instance yourself via the setRememberMeManager
mutator. However if you're reading this JavaDoc with the
expectation of operating in a Web environment, take a look at the
org.apache.shiro.web.DefaultWebSecurityManager implementation, which
does support RememberMe services by default at startup.- Since:
- 0.2
-
Field Summary
FieldsModifier and TypeFieldDescriptionprotected RememberMeManagerprotected SubjectDAOprotected SubjectFactory -
Constructor Summary
ConstructorsConstructorDescriptionDefault no-arg constructor.DefaultSecurityManager(Collection<Realm> realms) Supporting constructor for multiplerealms.DefaultSecurityManager(Realm singleRealm) Supporting constructor for a single-realm application. -
Method Summary
Modifier and TypeMethodDescriptionprotected voidbeforeLogout(Subject subject) protected voidDeprecated.protected SubjectContextcopy(SubjectContext subjectContext) protected SessionContextcreateSessionContext(SubjectContext subjectContext) protected SubjectcreateSubject(AuthenticationToken token, AuthenticationInfo info, Subject existing) Creates aSubjectinstance for the user represented by the given method arguments.createSubject(SubjectContext subjectContext) This implementation functions as follows:protected SubjectContextprotected voidRemoves (or 'unbinds') the Subject's state from the application, typically called duringlogout(org.apache.shiro.subject.Subject)..protected SubjectdoCreateSubject(SubjectContext context) Actually creates aSubjectinstance by delegating to the internalsubjectFactory.protected SubjectContextensureSecurityManager(SubjectContext context) Determines if there is aSecurityManagerinstance in the context, and if not, adds 'this' to the context.protected PrincipalCollectiongetRememberedIdentity(SubjectContext subjectContext) protected SessionKeygetSessionKey(SubjectContext context) Returns theSubjectDAOresponsible for persisting Subject state, typically used after login or when an Subject identity is discovered (e.g.Returns theSubjectFactoryresponsible for creatingSubjectinstances exposed to the application.login(Subject subject, AuthenticationToken token) First authenticates theAuthenticationTokenargument, and if successful, constructs aSubjectinstance representing the authenticated account's identity.voidLogs out the specified Subject from the system.protected voidonFailedLogin(AuthenticationToken token, AuthenticationException ae, Subject subject) protected voidonSuccessfulLogin(AuthenticationToken token, AuthenticationInfo info, Subject subject) protected voidrememberMeFailedLogin(AuthenticationToken token, AuthenticationException ex, Subject subject) protected voidrememberMeLogout(Subject subject) protected voidrememberMeSuccessfulLogin(AuthenticationToken token, AuthenticationInfo info, Subject subject) protected SessionresolveContextSession(SubjectContext context) protected SubjectContextresolvePrincipals(SubjectContext context) Attempts to resolve an identity (aPrincipalCollection) for the context using heuristics.protected SubjectContextresolveSession(SubjectContext context) Attempts to resolve any associated session based on the context and returns a context that represents this resolvedSessionto ensure it may be referenced if necessary by the invokedSubjectFactorythat performs actualSubjectconstruction.protected voidSaves the subject's state to a persistent location for future reference if necessary.voidsetRememberMeManager(RememberMeManager rememberMeManager) voidsetSubjectDAO(SubjectDAO subjectDAO) Sets theSubjectDAOresponsible for persisting Subject state, typically used after login or when an Subject identity is discovered (e.g.voidsetSubjectFactory(SubjectFactory subjectFactory) Sets theSubjectFactoryresponsible for creatingSubjectinstances exposed to the application.protected voidstopSession(Subject subject) protected voidDeprecated.in Shiro 1.2 in favor ofdelete(org.apache.shiro.subject.Subject)Methods inherited from class org.apache.shiro.mgt.SessionsSecurityManager
afterCacheManagerSet, afterEventBusSet, afterSessionManagerSet, applyCacheManagerToSessionManager, applyEventBusToSessionManager, destroy, getSession, getSessionManager, setSessionManager, startMethods inherited from class org.apache.shiro.mgt.AuthorizingSecurityManager
afterRealmsSet, checkPermission, checkPermission, checkPermissions, checkPermissions, checkRole, checkRoles, checkRoles, getAuthorizer, hasAllRoles, hasRole, hasRoles, isPermitted, isPermitted, isPermitted, isPermitted, isPermittedAll, isPermittedAll, setAuthorizerMethods inherited from class org.apache.shiro.mgt.AuthenticatingSecurityManager
authenticate, getAuthenticator, setAuthenticatorMethods inherited from class org.apache.shiro.mgt.RealmSecurityManager
applyCacheManagerToRealms, applyEventBusToRealms, getRealms, setRealm, setRealmsMethods inherited from class org.apache.shiro.mgt.CachingSecurityManager
applyEventBusToCacheManager, getCacheManager, getEventBus, setCacheManager, setEventBus
-
Field Details
-
rememberMeManager
-
subjectDAO
-
subjectFactory
-
-
Constructor Details
-
DefaultSecurityManager
public DefaultSecurityManager()Default no-arg constructor. -
DefaultSecurityManager
Supporting constructor for a single-realm application.- Parameters:
singleRealm- the single realm used by this SecurityManager.
-
DefaultSecurityManager
Supporting constructor for multiplerealms.- Parameters:
realms- the realm instances backing this SecurityManager.
-
-
Method Details
-
getSubjectFactory
-
setSubjectFactory
-
getSubjectDAO
Returns theSubjectDAOresponsible for persisting Subject state, typically used after login or when an Subject identity is discovered (e.g. after RememberMe services). Unless configured otherwise, the default implementation is aDefaultSubjectDAO.- Returns:
- the
SubjectDAOresponsible for persisting Subject state, typically used after login or when an Subject identity is discovered (e.g. after RememberMe services). - Since:
- 1.2
- See Also:
-
setSubjectDAO
Sets theSubjectDAOresponsible for persisting Subject state, typically used after login or when an Subject identity is discovered (e.g. after RememberMe services). Unless configured otherwise, the default implementation is aDefaultSubjectDAO.- Parameters:
subjectDAO- theSubjectDAOresponsible for persisting Subject state, typically used after login or when an Subject identity is discovered (e.g. after RememberMe services).- Since:
- 1.2
- See Also:
-
getRememberMeManager
-
setRememberMeManager
-
createSubjectContext
-
createSubject
protected Subject createSubject(AuthenticationToken token, AuthenticationInfo info, Subject existing) Creates aSubjectinstance for the user represented by the given method arguments.- Parameters:
token- theAuthenticationTokensubmitted for the successful authentication.info- theAuthenticationInfoof a newly authenticated user.existing- the existingSubjectinstance that initiated the authentication attempt- Returns:
- the
Subjectinstance that represents the context and session data for the newly authenticated subject.
-
bind
Deprecated.in favor ofsave(subject).Binds aSubjectinstance created after authentication to the application for later use. As of Shiro 1.2, this method has been deprecated in favor ofsave(org.apache.shiro.subject.Subject), which this implementation now calls.- Parameters:
subject- theSubjectinstance created after authentication to be bound to the application for later use.- See Also:
-
rememberMeSuccessfulLogin
protected void rememberMeSuccessfulLogin(AuthenticationToken token, AuthenticationInfo info, Subject subject) -
rememberMeFailedLogin
protected void rememberMeFailedLogin(AuthenticationToken token, AuthenticationException ex, Subject subject) -
rememberMeLogout
-
login
First authenticates theAuthenticationTokenargument, and if successful, constructs aSubjectinstance representing the authenticated account's identity. Once constructed, theSubjectinstance is thenboundto the application for subsequent access before being returned to the caller.- Parameters:
subject- the subject against which the authentication attempt will occurtoken- the authenticationToken to process for the login attempt.- Returns:
- a Subject representing the authenticated user.
- Throws:
AuthenticationException- if there is a problem authenticating the specifiedtoken.
-
onSuccessfulLogin
protected void onSuccessfulLogin(AuthenticationToken token, AuthenticationInfo info, Subject subject) -
onFailedLogin
protected void onFailedLogin(AuthenticationToken token, AuthenticationException ae, Subject subject) -
beforeLogout
-
copy
-
createSubject
This implementation functions as follows:- Ensures the
SubjectContextis as populated as it can be, using heuristics to acquire data that may not have already been available to it (such as a referenced session or remembered principals). - Calls
doCreateSubject(org.apache.shiro.subject.SubjectContext)to actually perform theSubjectinstance creation. - calls
save(subject)to ensure the constructedSubject's state is accessible for future requests/invocations if necessary. - returns the constructed
Subjectinstance.
- Parameters:
subjectContext- any data needed to direct how the Subject should be constructed.- Returns:
- the
Subjectinstance reflecting the specified contextual data. - Since:
- 1.0
- See Also:
- Ensures the
-
doCreateSubject
Actually creates aSubjectinstance by delegating to the internalsubjectFactory. By the time this method is invoked, all possibleSubjectContextdata (session, principals, et al.) has been made accessible using all known heuristics and will be accessible to thesubjectFactoryvia thesubjectContext.resolve*methods.- Parameters:
context- the populated context (data map) to be used by theSubjectFactorywhen creating aSubjectinstance.- Returns:
- a
Subjectinstance reflecting the data in the specifiedSubjectContextdata map. - Since:
- 1.2
- See Also:
-
save
Saves the subject's state to a persistent location for future reference if necessary. This implementation merely delegates to the internalsubjectDAOand callssubjectDAO.save(subject).- Parameters:
subject- the subject for which state will potentially be persisted- Since:
- 1.2
- See Also:
-
delete
Removes (or 'unbinds') the Subject's state from the application, typically called duringlogout(org.apache.shiro.subject.Subject).. This implementation merely delegates to the internalsubjectDAOand callsdelete(subject).- Parameters:
subject- the subject for which state will be removed- Since:
- 1.2
- See Also:
-
ensureSecurityManager
Determines if there is aSecurityManagerinstance in the context, and if not, adds 'this' to the context. This ensures the SubjectFactory instance will have access to a SecurityManager during Subject construction if necessary.- Parameters:
context- the subject context data that may contain a SecurityManager instance.- Returns:
- The SubjectContext to use to pass to a
SubjectFactoryfor subject creation. - Since:
- 1.0
-
resolveSession
Attempts to resolve any associated session based on the context and returns a context that represents this resolvedSessionto ensure it may be referenced if necessary by the invokedSubjectFactorythat performs actualSubjectconstruction. If there is aSessionalready in the context because that is what the caller wants to be used forSubjectconstruction, or if no session is resolved, this method effectively does nothing returns the context method argument unaltered.- Parameters:
context- the subject context data that may resolve a Session instance.- Returns:
- The context to use to pass to a
SubjectFactoryfor subject creation. - Since:
- 1.0
-
resolveContextSession
- Throws:
InvalidSessionException
-
getSessionKey
-
resolvePrincipals
Attempts to resolve an identity (aPrincipalCollection) for the context using heuristics. This implementation functions as follows:- Check the context to see if it can already
resolve an identity. If so, this method does nothing and returns the method argument unaltered. - Check for a RememberMe identity by calling
getRememberedIdentity(org.apache.shiro.subject.SubjectContext). If that method returns a non-null value, place the rememberedPrincipalCollectionin the context.
- Parameters:
context- the subject context data that may provide (directly or indirectly through one of its values) aPrincipalCollectionidentity.- Returns:
- The Subject context to use to pass to a
SubjectFactoryfor subject creation. - Since:
- 1.0
- Check the context to see if it can already
-
createSessionContext
-
logout
Description copied from interface:SecurityManagerLogs out the specified Subject from the system. Note that most application developers should not call this method unless they have a good reason for doing so. The preferred way to logout a Subject is to callSubject.logout()SecurityManagerdirectly. Framework developers on the other hand might find calling this method directly useful in certain cases.- Parameters:
subject- the subject to log out.
-
stopSession
-
unbind
Deprecated.in Shiro 1.2 in favor ofdelete(org.apache.shiro.subject.Subject)Unbinds or removes the Subject's state from the application, typically called duringlogout(org.apache.shiro.subject.Subject). This has been deprecated in Shiro 1.2 in favor of thedeletemethod. The implementation has been updated to invoke that method.- Parameters:
subject- the subject to unbind from the application as it will no longer be used.
-
getRememberedIdentity
-
save(subject).