Shulou(Shulou.com)06/02 Report--

Shiro provides complete enterprise session management capabilities, independent of the underlying container (such as web container tomcat), and can be used in both JavaSE and JavaEE environments. It provides session management, session event monitoring, session storage / persistence, container-independent clustering, expiration / expiration support, transparent support for Web, SSO single sign-on support and other features. That is, session management directly using Shiro can directly replace session management such as Web container.

Conversation

The so-called session, that is, the connection relationship maintained by the user when accessing the application, the application can identify the current user in multiple interactions, and can save some data in multiple interactions. For example, after logging in successfully when visiting some websites, the site can remember the user and identify who the current user is before quitting.

Shiro session support can be used not only in ordinary JavaSE applications, but also in JavaEE applications, such as web applications. And it is used in the same way.

Java code

Login ("classpath:shiro.ini", "zhang", "123"); Subject subject = SecurityUtils.getSubject (); Session session = subject.getSession ()

After a successful login, you can use Subject.getSession () to get the session; it is equivalent to Subject.getSession (true), that is, one will be created if no Session object is currently created, and Subject.getSession (false) will return null if no Session is currently created (although by default, if session storage is enabled, a Session will be actively created when the Subject is created).

Java code

Session.getId ()

Gets the unique identity of the current session.

Java code

Session.getHost ()

Gets the host address of the current Subject, which is provided through HostAuthenticationToken.getHost ().

Java code

Session.getTimeout (); session.setTimeout (millisecond)

Gets / sets the expiration time of the current Session; if it is not set, the default is the global expiration time of the session manager.

Java code

Session.getStartTimestamp (); session.getLastAccessTime ()

Get the start time and the last access time of the session; if it is a JavaSE application, it needs to call session.touch () regularly to update the last access time; if it is a Web application, it will automatically call session.touch () to update the last access time every time you enter ShiroFilter.

Java code

Session.touch (); session.stop ()

Update the last access time of the session and destroy the session; when Subject.logout (), the stop method is automatically called to destroy the session. If you are in web, call javax.servlet.http.HttpSession. Invalidate () also automatically calls the Shiro Session.stop method to destroy the Shiro session.

Java code

Session.setAttribute ("key", "123"); Assert.assertEquals (" 123", session.getAttribute ("key")); session.removeAttribute ("key")

Set / get / delete session properties; these properties can be manipulated throughout the session.

The session provided by Shiro can be used in the JavaSE/JavaEE environment, does not depend on any underlying container, can be used independently, and is a complete session module.

Session manager

The session manager manages the creation, maintenance, deletion, invalidation, verification and other work of all Subject sessions in the application. Is the core component of Shiro, the top-level component SecurityManager directly inherits SessionManager, and provides SessionsSecurityManager implementation to directly delegate session management to the corresponding SessionManager,DefaultSecurityManager and

By default, DefaultWebSecurityManager SecurityManager inherits SessionsSecurityManager.

SecurityManager provides the following APIs:

Java code

Session start (SessionContext context); / / start the session Session getSession (SessionKey key) throws SessionException; / / get the session according to the session Key

In addition, WebSessionManager for Web environment provides the following APIs:

Java code

Boolean isServletContainerSessions (); / / whether to use the Servlet container session

Shiro also provides ValidatingSessionManager for capital verification and expired sessions:

Java code

Void validateSessions (); / / verify that all sessions have expired

Shiro provides three default implementations:

Default implementation used by DefaultSessionManager:DefaultSecurityManager for the JavaSE environment

The default implementation used by ServletContainerSessionManager:DefaultWebSecurityManager for Web environments, which directly uses the session of the Servlet container

DefaultWebSessionManager: for the implementation of the Web environment, it can replace ServletContainerSessionManager and maintain the session by itself, directly abandoning the session management of the Servlet container.

Instead of SecurityManager's default SessionManager, you can configure (shiro.ini) in ini:

Java code

[main] sessionManager=org.apache.shiro.session.mgt.DefaultSessionManager securityManager.sessionManager=$sessionManager

Ini configuration in Web environment (shiro-web.ini):

Java code

[main] sessionManager=org.apache.shiro.web.session.mgt.ServletContainerSessionManager securityManager.sessionManager=$sessionManager

You can also set the global expiration time of the session (in milliseconds). The default is 30 minutes:

Java code

SessionManager. GlobalSessionTimeout=1800000

By default, globalSessionTimeout is applied to all Session. You can set the timeout property of each Session individually to set its timeout for each Session.

In addition, if ServletContainerSessionManager is used for session management, the timeout of Session depends on the timeout of the underlying Servlet container. You can configure the timeout of its session (in minutes) in web.xml:

Java code

thirty

In the Servlet container, JSESSIONID Cookie is used by default to maintain the session, and the session is bound to the container by default. In some cases, you may need to use your own session mechanism, and we can use DefaultWebSessionManager to maintain the session:

Java code

SessionIdCookie=org.apache.shiro.web.servlet.SimpleCookie sessionManager=org.apache.shiro.web.session.mgt.DefaultWebSessionManager sessionIdCookie.name=sid # sessionIdCookie.domain=sishuok.com # sessionIdCookie.path= sessionIdCookie.maxAge=1800 sessionIdCookie.httpOnly=true sessionManager.sessionIdCookie=$sessionIdCookie sessionManager.sessionIdCookieEnabled=true .securityManager.sessionManager = $sessionManager

SessionIdCookie is the template for sessionManager to create session Cookie:

SessionIdCookie.name: set the Cookie name. Default is JSESSIONID.

SessionIdCookie.domain: set the domain name of Cookie. The default is empty, that is, the domain name currently accessed.

SessionIdCookie.path: sets the path of Cookie. Default is empty, that is, it is stored under the root of the domain name.

SessionIdCookie.maxAge: sets the expiration time of Cookie (in seconds). Default-1 means that the Cookie expires when the browser is closed.

SessionIdCookie.httpOnly: if set to true, the client is not exposed to client scripting code, and the use of HttpOnly cookie helps reduce some types of cross-site scripting attacks; this feature requires Servlet container support for Servlet 2.5 MR6 and above specifications

SessionManager.sessionIdCookieEnabled: whether or not Session IdCookie is enabled / disabled is enabled by default; if disabled, Session IdCookie is not set, that is, the JSESSIONID of the Servlet container is used by default, and the Session Id is saved through URL overrides (the "; JSESSIONID=id" section of URL).

In addition, we can manipulate Cookie templates in the same way as "sessionManager. SessionIdCookie.name=sid"

Session listener

Session listeners are used to listen for session creation, expiration, and stop events:

Java code

Public class MySessionListener1 implements SessionListener {@ Override public void onStart (Session session) {/ / triggers System.out.println ("session creation:" + session.getId ());} @ Override public void onExpiration (Session session) {/ / triggers System.out.println when the session expires ("session Expiration:" + session.getId ()) } @ Override public void onStop (Session session) {/ / exit / trigger System.out.println when the session expires ("session stop:" + session.getId ());}}

If you want to listen for only one event, you can inherit the SessionListenerAdapter implementation:

Java code

Public class MySessionListener2 extends SessionListenerAdapter {@ Override public void onStart (Session session) {System.out.println ("session creation:" + session.getId ());}}

You can configure session listeners in the shiro-web.ini configuration file as follows:

Java code

SessionListener1=com.github.zhangkaitao.shiro.chapter10.web.listener.MySessionListener1 sessionListener2=com.github.zhangkaitao.shiro.chapter10.web.listener.MySessionListener2 sessionManager.sessionListeners=$sessionListener1,$sessionListener2

Session storage / persistence

Shiro provides the CRUD that SessionDAO uses for conversations, that is, the DAO (Data Access Object) pattern implementation:

Java code

/ / for example, DefaultSessionManager will call this method after creating the session; for example, saving to a relational database / file system / NoSQL database can achieve session persistence; return the ID.equals (session.getId ()) returned by the session ID; mainly here; Serializable create (Session session); / / obtain the session Session readSession (Serializable sessionId) throws UnknownSessionException; / / update the session based on the session Session readSession Such as updating session last access time / stopping session / setting timeout / setting removal property, etc., void update (Session session) throws UnknownSessionException; / / delete session will be called; void delete (Session session) will be called when session expires / session stops (for example, when a user exits); / / get all current active users, if the number of users is large, this method will affect performance Collection getActiveSessions ()

The following SessionDAO implementation is embedded in Shiro:

AbstractSessionDAO provides the basic implementation of SessionDAO, such as generating session ID; CachingSessionDAO provides a session cache transparent to developers, and you only need to set the corresponding CacheManager; MemorySessionDAO maintains the session directly in memory; and EnterpriseCacheSessionDAO provides session maintenance of the cache feature, which is implemented by default using MapCache and internally using ConcurrentHashMap to save cached sessions.

You can set up SessionDAO with the following configuration:

Java code

SessionDAO=org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO sessionManager.sessionDAO=$sessionDAO

Shiro provides session storage using Ehcache, and Ehcache can cooperate with TerraCotta to implement container-independent distributed clusters.

First, add the following dependencies to pom.xml:

Java code

Org.apache.shiro shiro-ehcache 1.2.2

Then configure the shiro-web.ini file:

Java code

SessionDAO=org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO sessionDAO. ActiveSessionsCacheName=shiro-activeSessionCache sessionManager.sessionDAO=$sessionDAO cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager cacheManager.cacheManagerConfigFile=classpath:ehcache.xml securityManager.cacheManager = $cacheManager

SessionDAO. ActiveSessionsCacheName: sets the Session cache name. Default is shiro-activeSessionCache.

CacheManager: cache manager for managing caches, implemented here using Ehcache

CacheManager.cacheManagerConfigFile: setting the configuration file for ehcache caching

SecurityManager.cacheManager: setting the cacheManager of SecurityManager will automatically set the corresponding objects that implement the CacheManagerAware interface, such as the cacheManager of SessionDAO

Then configure ehcache.xml:

Java code

The name of Cache is shiro-activeSessionCache, which is the activeSessionsCacheName property value of the set sessionDAO.

You can also set up the session ID generator with the following ini configuration:

Java code

SessionIdGenerator=org.apache.shiro.session.mgt.eis.JavaUuidSessionIdGenerator sessionDAO.sessionIdGenerator=$sessionIdGenerator

Used to generate session ID. The default is JavaUuidSessionIdGenerator, which is generated using java.util.UUID.

If you customize the implementation SessionDAO, you can inherit CachingSessionDAO:

Java code

Public class MySessionDAO extends CachingSessionDAO {private JdbcTemplate jdbcTemplate = JdbcTemplateUtils.jdbcTemplate (); protected Serializable doCreate (Session session) {Serializable sessionId = generateSessionId (session); assignSessionId (session, sessionId); String sql = "insert into sessions (id, session) values"; jdbcTemplate.update (sql, sessionId, SerializableUtils.serialize (session)); return session.getId ();} protected void doUpdate (Session session) {if (session instanceof ValidatingSession & &! (ValidatingSession) session). IsValid ()) {return / / if the session expires / stops, there is no need to update} String sql = "update sessions set session=? Where id=? "; jdbcTemplate.update (sql, SerializableUtils.serialize (session), session.getId ());} protected void doDelete (Session session) {String sql =" delete from sessions where id=? "; jdbcTemplate.update (sql, session.getId ());} protected Session doReadSession (Serializable sessionId) {String sql =" select session from sessions where id=? "; List sessionStrList = jdbcTemplate.queryForList (sql, String.class, sessionId); if (sessionStrList.size () = 0) return null Return SerializableUtils.deserialize (sessionStrList.get (0));}}

DoCreate/doUpdate/doDelete/doReadSession stands for creating / modifying / deleting / reading sessions, respectively; here, the sessions are serialized and stored in the database, and then configured in shiro-web.ini:

Java code

SessionDAO=com.github.zhangkaitao.shiro.chapter10.session.dao.MySessionDAO

The other settings are the same as before, because it inherits CachingSessionDAO; to check if it exists in the cache when reading, and then look it up in the database if it can't be found.

Session authentication

Shiro provides a session verification scheduler that periodically verifies that the session has expired and will stop the session if it expires; for performance reasons, it is generally when the session is acquired to verify that the session expires and stops the session But in the web environment, if the user does not actively exit, the user does not know whether the session expires, so it is necessary to periodically check whether the session expires. Shiro provides a session verification scheduler SessionValidationScheduler to do this.

Session verification can be enabled with the following ini configuration:

Java code

SessionValidationScheduler=org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler sessionValidationScheduler.interval = 3600000 sessionValidationScheduler.sessionManager=$sessionManager sessionManager.globalSessionTimeout=1800000 sessionManager.sessionValidationSchedulerEnabled=truesessionManager.sessionValidationScheduler=$sessionValidationScheduler

SessionValidationScheduler: session verification scheduler. SessionManager defaults to using ExecutorServiceSessionValidationScheduler, which uses JDK's ScheduledExecutorService to schedule periodically and verify whether the session expires.

SessionValidationScheduler.interval: sets the scheduling interval (in milliseconds). The default is 1 hour.

SessionValidationScheduler.sessionManager: sets the session manager for session authentication when session authentication scheduler performs session authentication

SessionManager.globalSessionTimeout: sets the global session timeout. The default is 30 minutes, that is, the session will expire if there is no access within 30 minutes.

SessionManager.sessionValidationSchedulerEnabled: whether to enable session verifier. It is enabled by default.

SessionManager.sessionValidationScheduler: sets the session authentication scheduler. The default is to use ExecutorServiceSessionValidationScheduler.

Shiro also provides a scheduler for using Quartz session authentication:

Java code

SessionValidationScheduler=org.apache.shiro.session.mgt.quartz.QuartzSessionValidationScheduler sessionValidationScheduler.sessionValidationInterval = 3600000 sessionValidationScheduler.sessionManager=$sessionManager

You need to import shiro-quartz dependencies when using:

Java code

Org.apache.shiro shiro-quartz 1.2.2

For example, all the above session verification scheduler implementations directly call the validateSessions method of AbstractValidatingSessionManager for verification, and directly call the getActiveSessions method of SessionDAO to obtain all sessions for verification. If there are too many sessions, the performance will be affected. You can consider getting the session and verifying it by page, such as com.github.zhangkaitao.shiro.chapter10.session.scheduler.MySessionValidationScheduler:

Java code

/ / fetch the session and verify that String sql = "select session from sessions limit?,?"; int start = 0; / / starting record int size = 20; / / per page size List sessionList = jdbcTemplate.queryForList (sql, String.class, start, size); while (sessionList.size () > 0) {for (String sessionStr: sessionList) {try {Session session = SerializableUtils.deserialize (sessionStr); Method validateMethod = ReflectionUtils.findMethod (AbstractValidatingSessionManager.class, "validate", Session.class, SessionKey.class) ValidateMethod.setAccessible (true); ReflectionUtils.invokeMethod (validateMethod, sessionManager, session, new DefaultSessionKey (session.getId ());} catch (Exception e) {/ / ignore}} start = start + size; sessionList = jdbcTemplate.queryForList (sql, String.class, start, size);}

It is directly modified from ExecutorServiceSessionValidationScheduler, such as the above code is the core code of verification, you can modify this verification scheduler according to your own needs; the configuration of ini is similar to the previous one.

If you do not want to delete an expired session when the session expires, you can set it through the following ini configuration:

Java code

SessionManager.deleteInvalidSessions=false

It is enabled by default. After the session expires, the delete method of SessionDAO is called to delete the session. For example, if the session is persisted, you can call this method to delete it.

If you verify that the session has expired when getting the session, InvalidSessionException; will be thrown, so you need to catch this exception and jump to the appropriate page to tell the user that the session has expired and log in again. For example, you can configure the corresponding error page in web.xml:

Java code

Org.apache.shiro.session.InvalidSessionException / invalidSession.jsp

SessionFactory

SessionFactory is the factory for creating sessions based on the appropriate Subject context information; SimpleSessionFactory is provided by default to create SimpleSession sessions.

First, customize a Session:

Java code

Public class OnlineSession extends SimpleSession {public static enum OnlineStatus {on_line ("online"), hidden ("invisible"), force_logout ("forced exit"); private final String info; private OnlineStatus (String info) {this.info = info;} public String getInfo () {return info;}} private String userAgent; / / user browser type private OnlineStatus status = OnlineStatus.on_line; / / presence private String systemHost / / when the user logs in, the system IP / / omits other}

OnlineSession is used to save the online status of currently logged-in users and supports the control of status such as offline.

Then customize the SessionFactory:

Java code

Public class OnlineSessionFactory implements SessionFactory {@ Override public Session createSession (SessionContext initData) {OnlineSession session = new OnlineSession (); if (initData! = null & & initData instanceof WebSessionContext) {WebSessionContext sessionContext = (WebSessionContext) initData; HttpServletRequest request = (HttpServletRequest) sessionContext.getServletRequest (); if (request! = null) {session.setHost (IpUtils.getIpAddr (request)); session.setUserAgent (request.getHeader ("User-Agent")) Session.setSystemHost (request.getLocalAddr () + ":" + request.getLocalPort ());}} return session;}

Create the appropriate OnlineSession based on the session context.

Finally, configure in the shiro-web.ini configuration file:

Java code

SessionFactory=org.apache.shiro.session.mgt.OnlineSessionFactory sessionManager.sessionFactory=$sessionFactory

Summary

The above is the shiro session management introduced by the editor. I hope it will be helpful to you. If you have any questions, please leave me a message and the editor will reply to you in time. Thank you very much for your support to the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.