Examples of org.apache.shiro.mgt.DefaultSubjectDAO

• org.apache.shiro.mgt.DefaultSubjectDAO
  Default {@code SubjectDAO} implementation that stores Subject state in the Subject's Session by default (but thiscan be disabled - see below). The Subject instance can be re-created at a later time by first acquiring the associated Session (typically from a {@link org.apache.shiro.session.mgt.SessionManager SessionManager}) via a session ID or session key and then building a {@code Subject} instance from {@code Session} attributes.

  Controlling how Sessions are used

  Whether or not a {@code Subject}'s {@code Session} is used or not to persist its own state is controlled on aper-Subject basis as determined by the configured {@link #setSessionStorageEvaluator(SessionStorageEvaluator) sessionStorageEvaluator}. The default {@code Evaluator} is a {@link DefaultSessionStorageEvaluator}, which supports enabling or disabling session usage for Subject persistence at a global level for all subjects (and defaults to allowing sessions to be used).

  Disabling Session Persistence Entirely

  Because the default {@code SessionStorageEvaluator} instance is a {@link DefaultSessionStorageEvaluator}, you can disable Session usage for Subject state entirely by configuring that instance directly, e.g.:

   ((DefaultSessionStorageEvaluator)sessionDAO.getSessionStorageEvaluator()).setSessionStorageEnabled(false); 

  or, for example, in {@code shiro.ini}:

   securityManager.subjectDAO.sessionStorageEvaluator.sessionStorageEnabled = false 

  but note: ONLY do this your application is 100% stateless and you DO NOT need subjects to be remembered across remote invocations, or in a web environment across HTTP requests.

  Supporting Both Stateful and Stateless Subject paradigms

  Perhaps your application needs to support a hybrid approach of both stateful and stateless Subjects:

  • Stateful: Stateful subjects might represent web end-users that need their identity and authentication state to be remembered from page to page.
  • Stateless: Stateless subjects might represent API clients (e.g. REST clients) that authenticate on every request, and therefore don't need authentication state to be stored across requests in a session.

  To support the hybrid per-Subject approach, you will need to create your own implementation of the {@link SessionStorageEvaluator} interface and configure it via the{@link #setSessionStorageEvaluator(SessionStorageEvaluator)} method, or, with {@code shiro.ini}:

   myEvaluator = com.my.CustomSessionStorageEvaluator securityManager.subjectDAO.sessionStorageEvaluator = $myEvaluator 

  Unless overridden, the default evaluator is a {@link DefaultSessionStorageEvaluator}, which enables session usage for Subject state by default. @see #isSessionStorageEnabled(org.apache.shiro.subject.Subject) @see SessionStorageEvaluator @see DefaultSessionStorageEvaluator @since 1.2

                        Lists.newArrayList(serverRestInterfaceRealm)
                );
        // disable storing sessions (TODO we might want to write a session store bridge to play's session cookie)
        final DefaultSessionStorageEvaluator sessionStorageEvaluator = new DefaultSessionStorageEvaluator();
        sessionStorageEvaluator.setSessionStorageEnabled(false);
        final DefaultSubjectDAO subjectDAO = new DefaultSubjectDAO();
        subjectDAO.setSessionStorageEvaluator(sessionStorageEvaluator);
        securityManager.setSubjectDAO(subjectDAO);

        final Authenticator authenticator = securityManager.getAuthenticator();
        if (authenticator instanceof ModularRealmAuthenticator) {
            ModularRealmAuthenticator a = (ModularRealmAuthenticator) authenticator;

        if (authenticator instanceof ModularRealmAuthenticator) {
            ((ModularRealmAuthenticator) authenticator).setAuthenticationStrategy(new FirstSuccessfulStrategy());
        }
        sm.setAuthorizer(new ModularRealmAuthorizer(Lists.<Realm>newArrayList(mongoDbAuthorizationRealm, inMemoryRealm)));

        final DefaultSubjectDAO subjectDAO = new DefaultSubjectDAO();
        final DefaultSessionStorageEvaluator sessionStorageEvaluator = new DefaultSessionStorageEvaluator() {
            @Override
            public boolean isSessionStorageEnabled(Subject subject) {
                // save to session if we already have a session. do not create on just for saving the subject
                return (subject.getSession(false) != null);
            }
        };
        sessionStorageEvaluator.setSessionStorageEnabled(false);
        subjectDAO.setSessionStorageEvaluator(sessionStorageEvaluator);
        sm.setSubjectDAO(subjectDAO);

        final DefaultSessionManager defaultSessionManager = (DefaultSessionManager) sm.getSessionManager();
        defaultSessionManager.setSessionDAO(mongoDbSessionDAO);
        defaultSessionManager.setDeleteInvalidSessions(true);

        //disable sessions entirely:
        setSessionManager(new DisabledSessionManager());

        //also prevent the SecurityManager impl from using the Session as a storage medium (i.e. after authc):
        DefaultSubjectDAO subjectDao = (DefaultSubjectDAO)getSubjectDAO();
        DefaultSessionStorageEvaluator sessionStorageEvaluator =
                (DefaultSessionStorageEvaluator)subjectDao.getSessionStorageEvaluator();
        sessionStorageEvaluator.setSessionStorageEnabled(false);
    }