Package org.apache.shiro.subject

Examples of org.apache.shiro.subject.Subject$Builder


        // pretend that we had session id before
        Serializable id = null;
        if (sessionId != null && !sessionId.isEmpty()) {
            id = sessionId;
        }
        final Subject subject = new Subject.Builder().sessionId(id).buildSubject();
        ThreadContext.bind(subject);

        try {
            subject.login(new UsernamePasswordToken(createRequest.username, createRequest.password));
            final User user = userService.load(createRequest.username);
            if (user != null) {
                long timeoutInMillis = user.getSessionTimeoutMs();
                subject.getSession().setTimeout(timeoutInMillis);
            } else {
                // set a sane default. really we should be able to load the user from above.
                subject.getSession().setTimeout(TimeUnit.HOURS.toMillis(8));
            }
            subject.getSession().touch();

            // save subject in session, otherwise we can't get the username back in subsequent requests.
            ((DefaultSecurityManager) SecurityUtils.getSecurityManager()).getSubjectDAO().save(subject);

        } catch (AuthenticationException e) {
            LOG.warn("Unable to log in user " + createRequest.username, e);
        } catch (UnknownSessionException e) {
            subject.logout();
        }
        if (subject.isAuthenticated()) {
            final org.apache.shiro.session.Session session = subject.getSession();
            id = session.getId();
            result.sessionId = id.toString();
            // TODO is this even used by anyone yet?
            result.validUntil = new DateTime(session.getLastAccessTime(), DateTimeZone.UTC).plus(session.getTimeout()).toDate();
            return result;
View Full Code Here


    @DELETE
    @ApiOperation(value = "Terminate an existing session", notes = "Destroys the session with the given ID: the equivalent of logging out.")
    @Path("/{sessionId}")
    @RequiresAuthentication
    public Response terminateSession(@ApiParam(name = "sessionId", required = true) @PathParam("sessionId") String sessionId) {
        final Subject subject = getSubject();
        securityManager.logout(subject);

        final org.apache.shiro.session.Session session = subject.getSession(false);
        if (session == null || !session.getId().equals(sessionId)) {
            return Response.status(Response.Status.NOT_FOUND).build();
        }

        return noContent().build();
View Full Code Here

    }

    private boolean checkRequireOldPassword(String username) {
        boolean requiresOldPassword = true;
        final User currentUser = currentUser();
        final Subject subject = currentUser.getSubject();
        final String currentUserName = currentUser.getName();
        if (subject.isPermitted("users:passwordchange:*")) {
            // if own account, require old password, otherwise don't require it
            requiresOldPassword = currentUserName.equals(username);
        }
        return requiresOldPassword;
    }
View Full Code Here

    }

    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
        SessionIdToken sessionIdToken = (SessionIdToken) token;
        final Subject subject = new Subject.Builder().sessionId(sessionIdToken.getSessionId()).buildSubject();
        final Session session = subject.getSession(false);
        if (session == null) {
            LOG.debug("Invalid session {}. Either it has expired or did not exist.", sessionIdToken.getSessionId());
            return null;
        }

        final Object username = subject.getPrincipal();
        final User user = userService.load(String.valueOf(username));
        if (user == null) {
            LOG.debug("No user named {} found for session {}", username, sessionIdToken.getSessionId());
            return null;
        }
View Full Code Here

    public void loginSubject() throws AuthenticationException {
        // what a hack :(
        ThreadContext.put("REQUEST_HEADERS", headers);
        subject.login(token);
        // the subject instance will change to include the session
        final Subject newSubject = ThreadContext.getSubject();
        if (newSubject != null) {
            subject = newSubject;
        }
        ThreadContext.remove("REQUEST_HEADERS");
    }
View Full Code Here

        final SecurityContext securityContext = requestContext.getSecurityContext();
        if (!(securityContext instanceof ShiroSecurityContext)) {
            return;
        }
        final ShiroSecurityContext context = (ShiroSecurityContext) securityContext;
        final Subject subject = context.getSubject();
        try {
            LOG.debug("Checking authorization for user {}, needs permissions {}", subject, annotation.value());
            new ContextAwarePermissionAnnotationHandler(context).assertAuthorized(annotation);
        } catch (AuthorizationException e) {
            LOG.info("User not authorized.", e);
View Full Code Here

        if(!StringUtils.isEmpty(error)) {//如果服务端返回了错误
            WebUtils.issueRedirect(request, response, failureUrl + "?error=" + error + "error_description=" + errorDescription);
            return false;
        }

        Subject subject = getSubject(request, response);
        if(!subject.isAuthenticated()) {
            if(StringUtils.isEmpty(request.getParameter(authcCodeParam))) {
                //如果用户没有身份验证,且没有auth code,则重定向到服务端授权
                saveRequestAndRedirectToLogin(request, response);
                return false;
            }
View Full Code Here

    }

    @Override
    protected boolean onLoginFailure(AuthenticationToken token, AuthenticationException ae, ServletRequest request,
                                     ServletResponse response) {
        Subject subject = getSubject(request, response);
        if (subject.isAuthenticated() || subject.isRemembered()) {
            try {
                issueSuccessRedirect(request, response);
            } catch (Exception e) {
                e.printStackTrace();
            }
View Full Code Here

        //2、得到SecurityManager实例 并绑定给SecurityUtils
        org.apache.shiro.mgt.SecurityManager securityManager = factory.getInstance();
        SecurityUtils.setSecurityManager(securityManager);

        //3、得到Subject及创建用户名/密码身份验证Token(即用户身份/凭证)
        Subject subject = SecurityUtils.getSubject();
        UsernamePasswordToken token = new UsernamePasswordToken(username, password);

        subject.login(token);
    }
View Full Code Here

*/
public class ClientAuthenticationFilter extends AuthenticationFilter {

    @Override
    protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
        Subject subject = getSubject(request, response);
        return subject.isAuthenticated();
    }
View Full Code Here

TOP

Related Classes of org.apache.shiro.subject.Subject$Builder

Copyright © 2018 www.massapicom. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.