Class DefaultSubjectDAO

java.lang.Object
org.apache.shiro.mgt.DefaultSubjectDAO
All Implemented Interfaces:
SubjectDAO
public class DefaultSubjectDAO extends Object implements SubjectDAO
Default SubjectDAO implementation that stores Subject state in the Subject's Session by default (but this can be disabled - see below). The Subject instance can be re-created at a later time by first acquiring the associated Session (typically from a SessionManager) via a session ID or session key and then building a Subject instance from Session attributes.

Controlling how Sessions are used

Whether or not a Subject's Session is used or not to persist its own state is controlled on a per-Subject basis as determined by the configured sessionStorageEvaluator. The default Evaluator is a DefaultSessionStorageEvaluator, which supports enabling or disabling session usage for Subject persistence at a global level for all subjects (and defaults to allowing sessions to be used).

Disabling Session Persistence Entirely

Because the default SessionStorageEvaluator instance is a DefaultSessionStorageEvaluator, you can disable Session usage for Subject state entirely by configuring that instance directly, e.g.: 
     ((DefaultSessionStorageEvaluator)sessionDAO.getSessionStorageEvaluator()).setSessionStorageEnabled(false);
or, for example, in shiro.ini: 
     securityManager.subjectDAO.sessionStorageEvaluator.sessionStorageEnabled = false
but note: ONLY do this your application is 100% stateless and you DO NOT need subjects to be remembered across remote invocations, or in a web environment across HTTP requests.

Supporting Both Stateful and Stateless Subject paradigms

Perhaps your application needs to support a hybrid approach of both stateful and stateless Subjects:
  • Stateful: Stateful subjects might represent web end-users that need their identity and authentication state to be remembered from page to page.
  • Stateless: Stateless subjects might represent API clients (e.g. REST clients) that authenticate on every request, and therefore don't need authentication state to be stored across requests in a session.
To support the hybrid per-Subject approach, you will need to create your own implementation of the SessionStorageEvaluator interface and configure it via the setSessionStorageEvaluator(SessionStorageEvaluator) method, or, with shiro.ini: 
     myEvaluator = com.my.CustomSessionStorageEvaluator
     securityManager.subjectDAO.sessionStorageEvaluator = $myEvaluator

Unless overridden, the default evaluator is a DefaultSessionStorageEvaluator, which enables session usage for Subject state by default.

Since:
1.2
See Also:

  • Constructor Details

  • Method Details

    • isSessionStorageEnabled

      protected boolean isSessionStorageEnabled(Subject subject)
      Determines if the subject's session will be used to persist subject state or not. This implementation merely delegates to the internal SessionStorageEvaluator (a DefaultSessionStorageEvaluator by default).
      Parameters:
      subject - the subject to inspect to determine if the subject's session will be used to persist subject state or not.
      Returns:
      true if the subject's session will be used to persist subject state, false otherwise.
      See Also:

    • getSessionStorageEvaluator

      public SessionStorageEvaluator getSessionStorageEvaluator()
      Returns the SessionStorageEvaluator that will determine if a Subject's state may be persisted in the Subject's session. The default instance is a DefaultSessionStorageEvaluator.
      Returns:
      the SessionStorageEvaluator that will determine if a Subject's state may be persisted in the Subject's session.
      See Also:

    • setSessionStorageEvaluator

      public void setSessionStorageEvaluator(SessionStorageEvaluator sessionStorageEvaluator)
      Sets the SessionStorageEvaluator that will determine if a Subject's state may be persisted in the Subject's session. The default instance is a DefaultSessionStorageEvaluator.
      Parameters:
      sessionStorageEvaluator - the SessionStorageEvaluator that will determine if a Subject's state may be persisted in the Subject's session.
      See Also:

    • save

      public Subject save(Subject subject)
      Saves the subject's state to the subject's session only if sessionStorageEnabled(subject). If session storage is not enabled for the specific Subject, this method does nothing.

      In either case, the argument Subject is returned directly (a new Subject instance is not created).

      Specified by:
      save in interface SubjectDAO
      Parameters:
      subject - the Subject instance for which its state will be created or updated.
      Returns:
      the same Subject passed in (a new Subject instance is not created).

    • saveToSession

      protected void saveToSession(Subject subject)
      Saves the subject's state (it's principals and authentication state) to its session. The session can be retrieved at a later time (typically from a SessionManager to be used to recreate the Subject instance.
      Parameters:
      subject - the subject for which state will be persisted to its session.

    • mergePrincipals

      protected void mergePrincipals(Subject subject)
      Merges the Subject's current Subject.getPrincipals() with whatever may be in any available session. Only updates the Subject's session if the session does not match the current principals state.
      Parameters:
      subject - the Subject for which principals will potentially be merged into the Subject's session.

    • mergeAuthenticationState

      protected void mergeAuthenticationState(Subject subject)
      Merges the Subject's current authentication state with whatever may be in any available session. Only updates the Subject's session if the session does not match the current authentication state.
      Parameters:
      subject - the Subject for which principals will potentially be merged into the Subject's session.

    • removeFromSession

      protected void removeFromSession(Subject subject)
      Removes any existing subject state from the Subject's session (if the session exists). If the session does not exist, this method does not do anything.
      Parameters:
      subject - the subject for which any existing subject state will be removed from its session.

    • delete

      public void delete(Subject subject)
      Removes any existing subject state from the subject's session (if the session exists).
      Specified by:
      delete in interface SubjectDAO
      Parameters:
      subject - the Subject instance for which any persistent state should be deleted.