Class AbstractValidatingSessionManager
java.lang.Object
org.apache.shiro.session.mgt.AbstractSessionManager
org.apache.shiro.session.mgt.AbstractNativeSessionManager
org.apache.shiro.session.mgt.AbstractValidatingSessionManager
- All Implemented Interfaces:
org.apache.shiro.event.EventBusAware,org.apache.shiro.lang.util.Destroyable,NativeSessionManager,SessionManager,ValidatingSessionManager
- Direct Known Subclasses:
DefaultSessionManager
public abstract class AbstractValidatingSessionManager
extends AbstractNativeSessionManager
implements ValidatingSessionManager, org.apache.shiro.lang.util.Destroyable
Default business-tier implementation of the
ValidatingSessionManager interface.- Since:
- 0.1
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final longThe default interval at which sessions will be validated (1 hour); This can be overridden by callingsetSessionValidationInterval(long)protected longprotected SessionValidationSchedulerScheduler used to validate sessions on a regular basis.protected booleanFields inherited from class org.apache.shiro.session.mgt.AbstractSessionManager
DEFAULT_GLOBAL_SESSION_TIMEOUT, MILLIS_PER_HOUR, MILLIS_PER_MINUTE, MILLIS_PER_SECOND -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected voidafterExpired(Session session) protected voidprotected voidprotected SessioncreateSession(SessionContext context) Creates a newSession Sessioninstance based on the specified (possiblynull) initialization data.protected SessionValidationSchedulervoiddestroy()protected voidprotected abstract SessiondoCreateSession(SessionContext initData) protected final SessiondoGetSession(SessionKey key) protected voiddoValidate(Session session) protected voidprotected abstract Collection<Session> longprotected longgetTimeout(Session session) Subclass template hook in case per-session timeout is not based onSession.getTimeout().booleanprotected voidonExpiration(Session session) protected voidonExpiration(Session s, ExpiredSessionException ese, SessionKey key) protected voidonInvalidation(Session s, InvalidSessionException ise, SessionKey key) protected abstract SessionLooks up a session from the underlying data store based on the specified session key.voidsetSessionValidationInterval(long sessionValidationInterval) If using the underlying default SessionValidationScheduler (that is, thesetSessionValidationSchedulermethod is never called) , this method allows one to specify how frequently session should be validated (to check for orphans).voidsetSessionValidationScheduler(SessionValidationScheduler sessionValidationScheduler) voidsetSessionValidationSchedulerEnabled(boolean sessionValidationSchedulerEnabled) protected voidvalidate(Session session, SessionKey key) voidPerforms session validation for all open/active sessions in the system (those that have not been stopped or expired), and validates each one.Methods inherited from class org.apache.shiro.session.mgt.AbstractNativeSessionManager
afterStopped, applyGlobalSessionTimeout, beforeInvalidNotification, checkValid, createExposedSession, createExposedSession, getAttribute, getAttributeKeys, getEventBus, getHost, getLastAccessTime, getSession, getSessionListeners, getStartTimestamp, getTimeout, isValid, notifyExpiration, notifyStart, notifyStop, onChange, onStart, onStop, onStop, publishEvent, removeAttribute, setAttribute, setEventBus, setSessionListeners, setTimeout, start, stop, touchMethods inherited from class org.apache.shiro.session.mgt.AbstractSessionManager
getGlobalSessionTimeout, setGlobalSessionTimeoutMethods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface org.apache.shiro.session.mgt.SessionManager
getSession, start
-
Field Details
-
DEFAULT_SESSION_VALIDATION_INTERVAL
The default interval at which sessions will be validated (1 hour); This can be overridden by callingsetSessionValidationInterval(long)- See Also:
-
sessionValidationSchedulerEnabled
-
sessionValidationScheduler
Scheduler used to validate sessions on a regular basis. -
sessionValidationInterval
-
-
Constructor Details
-
AbstractValidatingSessionManager
public AbstractValidatingSessionManager()
-
-
Method Details
-
isSessionValidationSchedulerEnabled
-
setSessionValidationSchedulerEnabled
-
setSessionValidationScheduler
-
getSessionValidationScheduler
-
setSessionValidationInterval
If using the underlying default SessionValidationScheduler (that is, thesetSessionValidationSchedulermethod is never called) , this method allows one to specify how frequently session should be validated (to check for orphans). The default value isDEFAULT_SESSION_VALIDATION_INTERVAL. If you override the default scheduler, it is assumed that overriding instance 'knows' how often to validate sessions, and this attribute will be ignored. Unless this method is called, the default value isDEFAULT_SESSION_VALIDATION_INTERVAL.- Parameters:
sessionValidationInterval- the time in milliseconds between checking for valid sessions to reap orphans.
-
getSessionValidationInterval
-
doGetSession
- Specified by:
doGetSessionin classAbstractNativeSessionManager- Throws:
InvalidSessionException
-
retrieveSession
Looks up a session from the underlying data store based on the specified session key.- Parameters:
key- the session key to use to look up the target session.- Returns:
- the session identified by
sessionId. - Throws:
UnknownSessionException- if there is no session identified bysessionId.
-
createSession
Description copied from class:AbstractNativeSessionManagerCreates a newSession Sessioninstance based on the specified (possiblynull) initialization data. Implementing classes must manage the persistent state of the returned session such that it could later be acquired via theAbstractNativeSessionManager.getSession(SessionKey)method.- Specified by:
createSessionin classAbstractNativeSessionManager- Parameters:
context- the initialization data that can be used by the implementation or underlyingSessionFactorywhen instantiating the internalSessioninstance.- Returns:
- the new
Sessioninstance. - Throws:
AuthorizationException- if the system access control policy does not allow the currently executing caller to start sessions.
-
doCreateSession
- Throws:
AuthorizationException
-
validate
- Throws:
InvalidSessionException
-
onExpiration
-
onExpiration
-
afterExpired
-
onInvalidation
-
doValidate
- Throws:
InvalidSessionException
-
getTimeout
Subclass template hook in case per-session timeout is not based onSession.getTimeout().This implementation merely returns
Session.getTimeout()- Parameters:
session- the session for which to determine session timeout.- Returns:
- the time in milliseconds the specified session may remain idle before expiring.
-
createSessionValidationScheduler
-
enableSessionValidation
-
afterSessionValidationEnabled
-
disableSessionValidation
-
beforeSessionValidationDisabled
-
destroy
- Specified by:
destroyin interfaceorg.apache.shiro.lang.util.Destroyable
-
validateSessions
Description copied from interface:ValidatingSessionManagerPerforms session validation for all open/active sessions in the system (those that have not been stopped or expired), and validates each one. If a session is found to be invalid (e.g. it has expired), it is updated and saved to the EIS. This method is necessary in order to handle orphaned sessions and is expected to be run at a regular interval, such as once an hour, once a day or once a week, etc. The "best" frequency to run this method is entirely dependent upon the application and would be based on factors such as performance, average number of active users, hours of least activity, and other things. Most enterprise applications use a request/response programming model. This is obvious in the case of web applications due to the HTTP protocol, but it is equally true of remote client applications making remote method invocations. The server essentially sits idle and only "works" when responding to client requests and/or method invocations. This type of model is particularly efficient since it means the security system only has to validate a session during those cases. Such "lazy" behavior enables the system to lie stateless and/or idle and only incur overhead for session validation when necessary. However, if a client forgets to log-out, or in the event of a server failure, it is possible for sessions to be orphaned since no further requests would utilize that session. Because of these lower-probability cases, it might be required to regularly clean-up the sessions maintained by the system, especially if sessions are backed by a persistent data store. Even in applications that aren't primarily based on a request/response model, such as those that use enterprise asynchronous messaging (where data is pushed to a client without first receiving a client request), it is almost always acceptable to utilize this lazy approach and run this method at defined interval. Systems that want to proactively validate individual sessions may simply call thegetSession(SessionKey)method on anyValidatingSessionManagerinstance as that method is expected to validate the session before retrieving it. Note that even with proactive calls togetSession, thisvalidateSessions()method should be invoked regularly anyway to guarantee no orphans exist. Note: Shiro supports automatic execution of this method at a regular interval by usingSessionValidationSchedulers. The Shiro default SecurityManager implementations needing session validation will create and use one by default if one is not provided by the application configuration.- Specified by:
validateSessionsin interfaceValidatingSessionManager- See Also:
-
getActiveSessions
-