Search in sources :

Example 1 with SessionKey

use of org.apache.shiro.session.mgt.SessionKey in project shiro by apache.

the class DefaultWebSessionManager method createExposedSession.

protected Session createExposedSession(Session session, SessionKey key) {
    if (!WebUtils.isWeb(key)) {
        return super.createExposedSession(session, key);
    }
    ServletRequest request = WebUtils.getRequest(key);
    ServletResponse response = WebUtils.getResponse(key);
    SessionKey sessionKey = new WebSessionKey(session.getId(), request, response);
    return new DelegatingSession(this, sessionKey);
}
Also used : ServletRequest(javax.servlet.ServletRequest) ShiroHttpServletRequest(org.apache.shiro.web.servlet.ShiroHttpServletRequest) HttpServletRequest(javax.servlet.http.HttpServletRequest) HttpServletResponse(javax.servlet.http.HttpServletResponse) ServletResponse(javax.servlet.ServletResponse) SessionKey(org.apache.shiro.session.mgt.SessionKey) DelegatingSession(org.apache.shiro.session.mgt.DelegatingSession)

Example 2 with SessionKey

use of org.apache.shiro.session.mgt.SessionKey in project shiro by apache.

the class SecureRemoteInvocationFactory method createRemoteInvocation.

/**
 * Creates a {@link RemoteInvocation} with the current session ID as an
 * {@link RemoteInvocation#getAttribute(String) attribute}.
 *
 * @param mi the method invocation that the remote invocation should be based on.
 * @return a remote invocation object containing the current session ID as an attribute.
 */
public RemoteInvocation createRemoteInvocation(MethodInvocation mi) {
    Serializable sessionId = null;
    String host = null;
    boolean sessionManagerMethodInvocation = false;
    // If the calling MI is for a remoting SessionManager delegate, we need to acquire the session ID from the method
    // argument and NOT interact with SecurityUtils/subject.getSession to avoid a stack overflow
    Class miDeclaringClass = mi.getMethod().getDeclaringClass();
    if (SessionManager.class.equals(miDeclaringClass) || NativeSessionManager.class.equals(miDeclaringClass)) {
        sessionManagerMethodInvocation = true;
        // as the first argument, so just get it from there:
        if (!mi.getMethod().getName().equals("start")) {
            SessionKey key = (SessionKey) mi.getArguments()[0];
            sessionId = key.getSessionId();
        }
    }
    // tried the delegate. Use the injected session id if given
    if (sessionId == null)
        sessionId = this.sessionId;
    // If sessionId is null, only then try the Subject:
    if (sessionId == null) {
        try {
            // HACK Check if can get the securityManager - this'll cause an exception if it's not set
            SecurityUtils.getSecurityManager();
            if (!sessionManagerMethodInvocation) {
                Subject subject = SecurityUtils.getSubject();
                Session session = subject.getSession(false);
                if (session != null) {
                    sessionId = session.getId();
                    host = session.getHost();
                }
            }
        } catch (Exception e) {
            log.trace("No security manager set. Trying next to get session id from system property");
        }
    }
    // as a last result:
    if (sessionId == null) {
        if (log.isTraceEnabled()) {
            log.trace("No Session found for the currently executing subject via subject.getSession(false).  " + "Attempting to revert back to the 'shiro.session.id' system property...");
        }
        sessionId = System.getProperty(SESSION_ID_SYSTEM_PROPERTY_NAME);
        if (sessionId == null && log.isTraceEnabled()) {
            log.trace("No 'shiro.session.id' system property found.  Heuristics have been exhausted; " + "RemoteInvocation will not contain a sessionId.");
        }
    }
    RemoteInvocation ri = new RemoteInvocation(mi);
    if (sessionId != null) {
        ri.addAttribute(SESSION_ID_KEY, sessionId);
    }
    if (host != null) {
        ri.addAttribute(HOST_KEY, host);
    }
    return ri;
}
Also used : RemoteInvocation(org.springframework.remoting.support.RemoteInvocation) Serializable(java.io.Serializable) NativeSessionManager(org.apache.shiro.session.mgt.NativeSessionManager) SessionManager(org.apache.shiro.session.mgt.SessionManager) SessionKey(org.apache.shiro.session.mgt.SessionKey) NativeSessionManager(org.apache.shiro.session.mgt.NativeSessionManager) Subject(org.apache.shiro.subject.Subject) Session(org.apache.shiro.session.Session)

Example 3 with SessionKey

use of org.apache.shiro.session.mgt.SessionKey in project shiro by apache.

the class SecureRemoteInvocationFactoryTest method testSessionManagerProxyNonStartRemoteInvocation.

@Test
public void testSessionManagerProxyNonStartRemoteInvocation() throws Exception {
    SecureRemoteInvocationFactory factory = new SecureRemoteInvocationFactory();
    MethodInvocation mi = createMock(MethodInvocation.class);
    Method method = getMethod("getSession", SessionManager.class);
    expect(mi.getMethod()).andReturn(method).anyTimes();
    String dummySessionId = UUID.randomUUID().toString();
    SessionKey sessionKey = new DefaultSessionKey(dummySessionId);
    Object[] args = { sessionKey };
    expect(mi.getArguments()).andReturn(args).anyTimes();
    replay(mi);
    RemoteInvocation ri = factory.createRemoteInvocation(mi);
    verify(mi);
    assertEquals(dummySessionId, ri.getAttribute(SecureRemoteInvocationFactory.SESSION_ID_KEY));
}
Also used : RemoteInvocation(org.springframework.remoting.support.RemoteInvocation) DefaultSessionKey(org.apache.shiro.session.mgt.DefaultSessionKey) SessionKey(org.apache.shiro.session.mgt.SessionKey) MethodInvocation(org.aopalliance.intercept.MethodInvocation) Method(java.lang.reflect.Method) DefaultSessionKey(org.apache.shiro.session.mgt.DefaultSessionKey) Test(org.junit.Test)

Example 4 with SessionKey

use of org.apache.shiro.session.mgt.SessionKey in project shiro by apache.

the class DefaultWebSessionManager method createExposedSession.

protected Session createExposedSession(Session session, SessionContext context) {
    if (!WebUtils.isWeb(context)) {
        return super.createExposedSession(session, context);
    }
    ServletRequest request = WebUtils.getRequest(context);
    ServletResponse response = WebUtils.getResponse(context);
    SessionKey key = new WebSessionKey(session.getId(), request, response);
    return new DelegatingSession(this, key);
}
Also used : ServletRequest(javax.servlet.ServletRequest) ShiroHttpServletRequest(org.apache.shiro.web.servlet.ShiroHttpServletRequest) HttpServletRequest(javax.servlet.http.HttpServletRequest) HttpServletResponse(javax.servlet.http.HttpServletResponse) ServletResponse(javax.servlet.ServletResponse) SessionKey(org.apache.shiro.session.mgt.SessionKey) DelegatingSession(org.apache.shiro.session.mgt.DelegatingSession)

Aggregations

SessionKey (org.apache.shiro.session.mgt.SessionKey)4 ServletRequest (javax.servlet.ServletRequest)2 ServletResponse (javax.servlet.ServletResponse)2 HttpServletRequest (javax.servlet.http.HttpServletRequest)2 HttpServletResponse (javax.servlet.http.HttpServletResponse)2 DelegatingSession (org.apache.shiro.session.mgt.DelegatingSession)2 ShiroHttpServletRequest (org.apache.shiro.web.servlet.ShiroHttpServletRequest)2 RemoteInvocation (org.springframework.remoting.support.RemoteInvocation)2 Serializable (java.io.Serializable)1 Method (java.lang.reflect.Method)1 MethodInvocation (org.aopalliance.intercept.MethodInvocation)1 Session (org.apache.shiro.session.Session)1 DefaultSessionKey (org.apache.shiro.session.mgt.DefaultSessionKey)1 NativeSessionManager (org.apache.shiro.session.mgt.NativeSessionManager)1 SessionManager (org.apache.shiro.session.mgt.SessionManager)1 Subject (org.apache.shiro.subject.Subject)1 Test (org.junit.Test)1