Examples of org.apache.shiro.subject.Subject

• org.apache.shiro.subject.Subject
  A {@code Subject} represents state and security operations for a single application user.These operations include authentication (login/logout), authorization (access control), and session access. It is Shiro's primary mechanism for single-user security functionality.

  Acquiring a Subject

  To acquire the currently-executing {@code Subject}, application developers will almost always use {@code SecurityUtils}:

   {@link SecurityUtils SecurityUtils}. {@link org.apache.shiro.SecurityUtils#getSubject() getSubject()}

  Almost all security operations should be performed with the {@code Subject} returned from this method.

  Permission methods

  Note that there are many *Permission methods in this interface overloaded to accept String arguments instead of {@link Permission Permission} instances. They are a convenience allowing the caller to use a String representation ofa {@link Permission Permission} if desired. The underlying Authorization subsystem implementations will usuallysimply convert these String values to {@link Permission Permission} instances and then just call the correspondingtype-safe method. (Shiro's default implementations do String-to-Permission conversion for these methods using {@link org.apache.shiro.authz.permission.PermissionResolver PermissionResolver}s.)

  These overloaded *Permission methods forgo type-saftey for the benefit of convenience and simplicity, so you should choose which ones to use based on your preferences and needs. @since 0.1

@WebServlet(name = "permissionServlet", urlPatterns = "/permission")
public class PermissionServlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        Subject subject = SecurityUtils.getSubject();
        subject.checkPermission("user:create");
        req.getRequestDispatcher("/WEB-INF/jsp/hasPermission.jsp").forward(req, resp);
    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        String error = null;
        String username = req.getParameter("username");
        String password = req.getParameter("password");
        Subject subject = SecurityUtils.getSubject();
        UsernamePasswordToken token = new UsernamePasswordToken(username, password);
        token.setRememberMe(true);
        try {
            subject.login(token);
        } catch (UnknownAccountException e) {
            error = "用户名/密码错误";
        } catch (IncorrectCredentialsException e) {
            error = "用户名/密码错误";
        } catch (AuthenticationException e) {

                                .buildJSONMessage();
                return new ResponseEntity(response.getBody(), HttpStatus.valueOf(response.getResponseStatus()));
            }


            Subject subject = SecurityUtils.getSubject();
            //如果用户没有登录，跳转到登陆页面
            if(!subject.isAuthenticated()) {
                if(!login(subject, request)) {//登录失败时跳转到登陆页面
                    model.addAttribute("client", clientService.findByClientId(oauthRequest.getClientId()));
                    return "oauth2login";
                }
            }

            String username = (String)subject.getPrincipal();
            //生成授权码
            String authorizationCode = null;
            //responseType目前仅支持CODE，另外还有TOKEN
            String responseType = oauthRequest.getParam(OAuth.OAUTH_RESPONSE_TYPE);
            if (responseType.equals(ResponseType.CODE.toString())) {

            securityToken = (ShiroSecurityToken)objectInputStream.readObject();
        } finally {
            IOHelper.close(objectInputStream, byteArrayInputStream);
        }

        Subject currentUser = SecurityUtils.getSubject();

        // Authenticate user if not authenticated
        try {
            authenticateUser(currentUser, securityToken);

            // Test whether user's role is authorized to perform functions in the permissions list
            authorizeUser(currentUser, exchange);
        } finally {
            if (policy.isAlwaysReauthenticate()) {
                currentUser.logout();
            }
        }
    }

                principals = info.getPrincipals();
            }
        }

        if (isEmpty(principals)) {
            Subject subject = getSubject();
            if (subject != null) {
                principals = subject.getPrincipals();
            }
        }

        if (isEmpty(principals)) {
            //try the session:

    public Session resolveSession() {
        Session session = getSession();
        if (session == null) {
            //try the Subject if it exists:
            Subject existingSubject = getSubject();
            if (existingSubject != null) {
                session = existingSubject.getSession(false);
            }
        }
        return session;
    }

        securityManager.checkRoles(getPrincipals(), roles);
    }

    public void login(AuthenticationToken token) throws AuthenticationException {
        clearRunAsIdentitiesInternal();
        Subject subject = securityManager.login(this, token);

        PrincipalCollection principals;

        String host = null;

        if (subject instanceof DelegatingSubject) {
            DelegatingSubject delegating = (DelegatingSubject) subject;
            //we have to do this in case there are assumed identities - we don't want to lose the 'real' principals:
            principals = delegating.principals;
            host = delegating.host;
        } else {
            principals = subject.getPrincipals();
        }

        if (principals == null || principals.isEmpty()) {
            String msg = "Principals returned from securityManager.login( token ) returned a null or " +
                    "empty value.  This value must be non null and populated with one or more elements.";
            throw new IllegalStateException(msg);
        }
        this.principals = principals;
        this.authenticated = true;
        if (token instanceof HostAuthenticationToken) {
            host = ((HostAuthenticationToken) token).getHost();
        }
        if (host != null) {
            this.host = host;
        }
        Session session = subject.getSession(false);
        if (session != null) {
            this.session = decorate(session);
        } else {
            this.session = null;
        }

    private static final long serialVersionUID = 1L;

    @Override
    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

        Subject subject = SecurityUtils.getSubject();
        subject.logout();

        if (!subject.isAuthenticated()) {
            response.getOutputStream().print("SUCCESS");
        }
        else {
            response.getOutputStream().print("FAILED");
        }

        String user = request.getParameter("user");
        if (Strings.isBlank(user)) {
            throw new IllegalArgumentException("Missing 'user' parameter!");
        }

        Subject subject = SecurityUtils.getSubject();
        subject.login(new UsernamePasswordToken(user, "secret"));

        if (subject.isAuthenticated()) {
            response.getOutputStream().print("SUCCESS");
        }
        else {
            response.getOutputStream().print("FAILED");
        }

    @Override
    public FeatureUser getCurrentUser() {

        // will always return a result
        Subject subject = SecurityUtils.getSubject();

        // only allow authenticated user
        if (subject.isAuthenticated()) {
            return new SimpleFeatureUser(subject.getPrincipal().toString(), subject.hasRole(featureAdminRole));
        }

        // user is not authenticated
        return null;