Package org.apache.shiro.mgt

Class DefaultSecurityManager

  • All Implemented Interfaces:
    Authenticator, Authorizer, org.apache.shiro.cache.CacheManagerAware, org.apache.shiro.event.EventBusAware, SecurityManager, SessionManager, org.apache.shiro.util.Destroyable
    public class DefaultSecurityManager
extends SessionsSecurityManager
    The Shiro framework's default concrete implementation of the SecurityManager interface, based around a collection of Realms. This implementation delegates its authentication, authorization, and session operations to wrapped Authenticator, Authorizer, and SessionManager instances respectively via superclass implementation.

    To greatly reduce and simplify configuration, this implementation (and its superclasses) will create suitable defaults for all of its required dependencies, except the required one or more Realms. Because Realm implementations usually interact with an application's data model, they are almost always application specific; you will want to specify at least one custom Realm implementation that 'knows' about your application's data/security model (via RealmSecurityManager.setRealm(org.apache.shiro.realm.Realm) or one of the overloaded constructors). All other attributes in this class hierarchy will have suitable defaults for most enterprise applications.

    RememberMe notice: This class supports the ability to configure a RememberMeManager for RememberMe identity services for login/logout, BUT, a default instance will not be created for this attribute at startup.

    Because RememberMe services are inherently client tier-specific and therefore aplication-dependent, if you want RememberMe services enabled, you will have to specify an instance yourself via the setRememberMeManager mutator. However if you're reading this JavaDoc with the expectation of operating in a Web environment, take a look at the org.apache.shiro.web.DefaultWebSecurityManager implementation, which does support RememberMe services by default at startup.
    Since:
    0.2

    • Constructor Detail

      • DefaultSecurityManager

        public DefaultSecurityManager()
        Default no-arg constructor.

      • DefaultSecurityManager

        public DefaultSecurityManager(Realm singleRealm)
        Supporting constructor for a single-realm application.
        Parameters:
        singleRealm - the single realm used by this SecurityManager.

      • DefaultSecurityManager

        public DefaultSecurityManager(Collection<Realm> realms)
        Supporting constructor for multiple realms.
        Parameters:
        realms - the realm instances backing this SecurityManager.

    • Method Detail

      • getSubjectFactory

        public SubjectFactory getSubjectFactory()
        Returns the SubjectFactory responsible for creating Subject instances exposed to the application.
        Returns:
        the SubjectFactory responsible for creating Subject instances exposed to the application.

      • setSubjectFactory

        public void setSubjectFactory(SubjectFactory subjectFactory)
        Sets the SubjectFactory responsible for creating Subject instances exposed to the application.
        Parameters:
        subjectFactory - the SubjectFactory responsible for creating Subject instances exposed to the application.

      • getSubjectDAO

        public SubjectDAO getSubjectDAO()
        Returns the SubjectDAO responsible for persisting Subject state, typically used after login or when an Subject identity is discovered (eg after RememberMe services). Unless configured otherwise, the default implementation is a DefaultSubjectDAO.
        Returns:
        the SubjectDAO responsible for persisting Subject state, typically used after login or when an Subject identity is discovered (eg after RememberMe services).
        Since:
        1.2
        See Also:
        DefaultSubjectDAO

      • setSubjectDAO

        public void setSubjectDAO(SubjectDAO subjectDAO)
        Sets the SubjectDAO responsible for persisting Subject state, typically used after login or when an Subject identity is discovered (eg after RememberMe services). Unless configured otherwise, the default implementation is a DefaultSubjectDAO.
        Parameters:
        subjectDAO - the SubjectDAO responsible for persisting Subject state, typically used after login or when an Subject identity is discovered (eg after RememberMe services).
        Since:
        1.2
        See Also:
        DefaultSubjectDAO

      • setRememberMeManager

        public void setRememberMeManager(RememberMeManager rememberMeManager)

      • createSubjectContext

        protected SubjectContext createSubjectContext()

      • createSubject

        protected Subject createSubject(AuthenticationToken token,
                                AuthenticationInfo info,
                                Subject existing)
        Creates a Subject instance for the user represented by the given method arguments.
        Parameters:
        token - the AuthenticationToken submitted for the successful authentication.
        info - the AuthenticationInfo of a newly authenticated user.
        existing - the existing Subject instance that initiated the authentication attempt
        Returns:
        the Subject instance that represents the context and session data for the newly authenticated subject.

      • rememberMeLogout

        protected void rememberMeLogout(Subject subject)

      • login

        public Subject login(Subject subject,
                     AuthenticationToken token)
              throws AuthenticationException
        First authenticates the AuthenticationToken argument, and if successful, constructs a Subject instance representing the authenticated account's identity.

        Once constructed, the Subject instance is then bound to the application for subsequent access before being returned to the caller.
        Parameters:
        token - the authenticationToken to process for the login attempt.
        subject - the subject against which the authentication attempt will occur
        Returns:
        a Subject representing the authenticated user.
        Throws:
        AuthenticationException - if there is a problem authenticating the specified token.

      • beforeLogout

        protected void beforeLogout(Subject subject)

      • doCreateSubject

        protected Subject doCreateSubject(SubjectContext context)
        Actually creates a Subject instance by delegating to the internal subjectFactory. By the time this method is invoked, all possible SubjectContext data (session, principals, et. al.) has been made accessible using all known heuristics and will be accessible to the subjectFactory via the subjectContext.resolve* methods.
        Parameters:
        context - the populated context (data map) to be used by the SubjectFactory when creating a Subject instance.
        Returns:
        a Subject instance reflecting the data in the specified SubjectContext data map.
        Since:
        1.2
        See Also:
        getSubjectFactory(), SubjectFactory.createSubject(org.apache.shiro.subject.SubjectContext)

      • ensureSecurityManager

        protected SubjectContext ensureSecurityManager(SubjectContext context)
        Determines if there is a SecurityManager instance in the context, and if not, adds 'this' to the context. This ensures the SubjectFactory instance will have access to a SecurityManager during Subject construction if necessary.
        Parameters:
        context - the subject context data that may contain a SecurityManager instance.
        Returns:
        The SubjectContext to use to pass to a SubjectFactory for subject creation.
        Since:
        1.0

      • resolveSession

        protected SubjectContext resolveSession(SubjectContext context)
        Attempts to resolve any associated session based on the context and returns a context that represents this resolved Session to ensure it may be referenced if necessary by the invoked SubjectFactory that performs actual Subject construction.

        If there is a Session already in the context because that is what the caller wants to be used for Subject construction, or if no session is resolved, this method effectively does nothing returns the context method argument unaltered.
        Parameters:
        context - the subject context data that may resolve a Session instance.
        Returns:
        The context to use to pass to a SubjectFactory for subject creation.
        Since:
        1.0

      • logout

        public void logout(Subject subject)
        Description copied from interface: SecurityManager
        Logs out the specified Subject from the system.

        Note that most application developers should not call this method unless they have a good reason for doing so. The preferred way to logout a Subject is to call Subject.logout(), not the SecurityManager directly.

        Framework developers on the other hand might find calling this method directly useful in certain cases.
        Parameters:
        subject - the subject to log out.

      • stopSession

        protected void stopSession(Subject subject)