AbstractValidatingSessionManager (JSecurity API 0.9.0-RC2)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

JSecurity

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.jsecurity.session.mgt
Class AbstractValidatingSessionManager

java.lang.Object
  org.jsecurity.session.mgt.AbstractSessionManager
      org.jsecurity.session.mgt.AbstractValidatingSessionManager

All Implemented Interfaces:: SessionManager, ValidatingSessionManager, SessionListenerRegistrar, Destroyable

Direct Known Subclasses:: DefaultSessionManager

public abstract class AbstractValidatingSessionManager
extends AbstractSessionManager
implements ValidatingSessionManager, Destroyable
extends AbstractSessionManager
implements ValidatingSessionManager, Destroyable

Default business-tier implementation of the ValidatingSessionManager interface.

Since:: 0.1
Author:: Les Hazlewood, Jeremy Haile

Field Summary
`static long`	`DEFAULT_GLOBAL_SESSION_TIMEOUT` Default main session timeout value (30 * 60 * 1000 milliseconds = 30 minutes).
`static long`	`DEFAULT_SESSION_VALIDATION_INTERVAL` The default interval at which sessions will be validated (1 hour); This can be overridden by calling `setSessionValidationInterval(long)`
`protected long`	`globalSessionTimeout`
`protected static long`	`MILLIS_PER_HOUR`
`protected static long`	`MILLIS_PER_MINUTE`
`protected static long`	`MILLIS_PER_SECOND`
`protected long`	`sessionValidationInterval`
`protected SessionValidationScheduler`	`sessionValidationScheduler` Scheduler used to validate sessions on a regular basis.
`protected boolean`	`sessionValidationSchedulerEnabled`

Fields inherited from class org.jsecurity.session.mgt.AbstractSessionManager
`listeners`

Constructor Summary
`AbstractValidatingSessionManager()`

Method Summary
`protected void`	`afterSessionValidationEnabled()`
`protected void`	`beforeSessionValidationDisabled()`
`protected Session`	`createSession(InetAddress originatingHost)`
`protected SessionValidationScheduler`	`createSessionValidationScheduler()`
`void`	`destroy()` Called when this object is being destroyed, allowing any necessary cleanup of internal resources.
`protected void`	`disableSessionValidation()`
`protected abstract Session`	`doCreateSession(InetAddress originatingHost)`
`protected Session`	`doGetSession(Serializable sessionId)`
`protected void`	`enableSessionValidation()`
`void`	`enableSessionValidationIfNecessary()`
`protected abstract Collection<Session>`	`getActiveSessions()`
`long`	`getGlobalSessionTimeout()` Returns the time in milliseconds that any session may remain idle before expiring.
`long`	`getSessionValidationInterval()`
`SessionValidationScheduler`	`getSessionValidationScheduler()`
`protected long`	`getTimeout(Session session)` Subclass template hook in case per-session timeout is not based on `Session.getTimeout()`.
`boolean`	`isSessionValidationSchedulerEnabled()`
`protected abstract Session`	`retrieveSession(Serializable sessionId)`
`void`	`setGlobalSessionTimeout(int globalSessionTimeout)` Sets the time in milliseconds that any session may remain idle before expiring.
`void`	`setSessionValidationInterval(long sessionValidationInterval)` If using the underlying default `SessionValidationScheduler` (that is, the `setSessionValidationScheduler` method is never called) , this method allows one to specify how frequently session should be validated (to check for orphans).
`void`	`setSessionValidationScheduler(SessionValidationScheduler sessionValidationScheduler)`
`void`	`setSessionValidationSchedulerEnabled(boolean sessionValidationSchedulerEnabled)`
`protected void`	`validate(Session session)`
`void`	`validateSession(Serializable sessionId)` Proactively validates a single session.
`void`	`validateSessions()` Performs session validation for all open/active sessions in the system (those that have not been stopped or expired), and validates each one.

Methods inherited from class org.jsecurity.session.mgt.AbstractSessionManager
`add, beforeInvalidNotification, getAttribute, getAttributeKeys, getHostAddress, getLastAccessTime, getSession, getStartTimestamp, getTimeout, isValid, notifyExpiration, notifyStart, notifyStop, onChange, onExpiration, onStop, remove, removeAttribute, setAttribute, setSessionListeners, setTimeout, start, stop, stop, touch`

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Methods inherited from interface org.jsecurity.session.mgt.SessionManager
`getAttribute, getAttributeKeys, getHostAddress, getLastAccessTime, getStartTimestamp, getTimeout, isValid, removeAttribute, setAttribute, setTimeout, start, stop, touch`

Field Detail

MILLIS_PER_SECOND

protected static final long MILLIS_PER_SECOND

See Also:: Constant Field Values

MILLIS_PER_MINUTE

protected static final long MILLIS_PER_MINUTE

See Also:: Constant Field Values

MILLIS_PER_HOUR

protected static final long MILLIS_PER_HOUR

See Also:: Constant Field Values

DEFAULT_GLOBAL_SESSION_TIMEOUT

public static final long DEFAULT_GLOBAL_SESSION_TIMEOUT

Default main session timeout value (30 * 60 * 1000 milliseconds = 30 minutes).

See Also:: Constant Field Values

DEFAULT_SESSION_VALIDATION_INTERVAL

public static final long DEFAULT_SESSION_VALIDATION_INTERVAL

The default interval at which sessions will be validated (1 hour); This can be overridden by calling setSessionValidationInterval(long)

See Also:: Constant Field Values

sessionValidationSchedulerEnabled

protected boolean sessionValidationSchedulerEnabled

sessionValidationScheduler

protected SessionValidationScheduler sessionValidationScheduler

Scheduler used to validate sessions on a regular basis.

sessionValidationInterval

protected long sessionValidationInterval

globalSessionTimeout

protected long globalSessionTimeout

Constructor Detail

AbstractValidatingSessionManager

public AbstractValidatingSessionManager()

Method Detail

isSessionValidationSchedulerEnabled

public boolean isSessionValidationSchedulerEnabled()

setSessionValidationSchedulerEnabled

public void setSessionValidationSchedulerEnabled(boolean sessionValidationSchedulerEnabled)

setSessionValidationScheduler

public void setSessionValidationScheduler(SessionValidationScheduler sessionValidationScheduler)

getSessionValidationScheduler

public SessionValidationScheduler getSessionValidationScheduler()

enableSessionValidationIfNecessary

public void enableSessionValidationIfNecessary()

getGlobalSessionTimeout

public long getGlobalSessionTimeout()

Returns the time in milliseconds that any session may remain idle before expiring. This value is just a main default for all sessions and may be overridden by subclasses on a per-session basis by overriding the getTimeout(Session) method if so desired.

A negative return value means sessions never expire.
A non-negative return value (0 or greater) means session timeout will occur as expected.

Unless overridden via the setGlobalSessionTimeout(int) method, the default value is DEFAULT_GLOBAL_SESSION_TIMEOUT.

Returns:: the time in milliseconds that any session may remain idle before expiring.

setGlobalSessionTimeout

public void setGlobalSessionTimeout(int globalSessionTimeout)

Sets the time in milliseconds that any session may remain idle before expiring. This value is just a main default for all sessions. Subclasses may override the getTimeout(org.jsecurity.session.Session) method to determine time-out values on a per-session basis.

Parameters:: globalSessionTimeout - the time in milliseconds any session may remain idle before expiring.

setSessionValidationInterval

public void setSessionValidationInterval(long sessionValidationInterval)

If using the underlying default SessionValidationScheduler (that is, the setSessionValidationScheduler method is never called) , this method allows one to specify how frequently session should be validated (to check for orphans). The default value is DEFAULT_SESSION_VALIDATION_INTERVAL.

If you override the default scheduler, it is assumed that overriding instance 'knows' how often to validate sessions, and this attribute will be ignored.

Unless this method is called, the default value is DEFAULT_SESSION_VALIDATION_INTERVAL.

Parameters:: sessionValidationInterval - the time in milliseconds between checking for valid sessions to reap orphans.

getSessionValidationInterval

public long getSessionValidationInterval()

doGetSession

protected final Session doGetSession(Serializable sessionId)
                              throws InvalidSessionException

Specified by:: doGetSession in class AbstractSessionManager

Throws:: InvalidSessionException

retrieveSession

protected abstract Session retrieveSession(Serializable sessionId)
                                    throws InvalidSessionException

Throws:: InvalidSessionException

createSession

protected final Session createSession(InetAddress originatingHost)
                               throws HostUnauthorizedException,
                                      IllegalArgumentException

Specified by:: createSession in class AbstractSessionManager

Throws:: HostUnauthorizedException; IllegalArgumentException

doCreateSession

protected abstract Session doCreateSession(InetAddress originatingHost)
                                    throws HostUnauthorizedException,
                                           IllegalArgumentException

Throws:: HostUnauthorizedException; IllegalArgumentException

validate

protected void validate(Session session)
                 throws InvalidSessionException

Throws:: InvalidSessionException

getTimeout

protected long getTimeout(Session session)

Subclass template hook in case per-session timeout is not based on Session.getTimeout().

This implementation merely returns Session.getTimeout()

Parameters:: session - the session for which to determine session timeout.
Returns:: the time in milliseconds the specified session may remain idle before expiring.

createSessionValidationScheduler

protected SessionValidationScheduler createSessionValidationScheduler()

enableSessionValidation

protected void enableSessionValidation()

afterSessionValidationEnabled

protected void afterSessionValidationEnabled()

disableSessionValidation

protected void disableSessionValidation()

beforeSessionValidationDisabled

protected void beforeSessionValidationDisabled()

destroy

public void destroy()

Description copied from interface: Destroyable

Called when this object is being destroyed, allowing any necessary cleanup of internal resources.

Specified by:: destroy in interface Destroyable

validateSessions

public void validateSessions()

Description copied from interface: ValidatingSessionManager

Performs session validation for all open/active sessions in the system (those that have not been stopped or expired), and validates each one. If a session is found to be invalid (e.g. it has expired), it is updated and saved to the EIS.

This method is necessary in order to handle orphaned sessions and is expected to be run at a regular interval, such as once an hour, once a day or once a week, etc. The "best" frequency to run this method is entirely dependent upon the application and would be based on factors such as performance, average number of active users, hours of least activity, and other things.

Most enterprise applications use a request/response programming model. This is obvious in the case of web applications due to the HTTP protocol, but it is equally true of remote client applications making remote method invocations. The server essentially sits idle and only "works" when responding to client requests and/or method invocations. This type of model is particularly efficent since it means the security system only has to validate a session during those cases. Such "lazy" behavior enables the system to lie stateless and/or idle and only incur overhead for session validation when necessary.

However, if a client forgets to log-out, or in the event of a server failure, it is possible for sessions to be orphaned since no further requests would utilize that session. Because of these lower-probability cases, it is required to regularly clean-up the sessions maintained by the system.

Even in applications that aren't primarily based on a request/response model, such as those that use enterprise asynchronous messaging (where data is pushed to a client without first receiving a client request), it is almost always acceptable to utilize this lazy approach and run this method at defined interval.

Systems that want to proactively validate individual sessions may call the validateSession method. Note that even in such proactive systems, this ValidatingSessionManager.validateSessions() method should be invoked regularaly anyway to guarantee no orphans exist.

Note: JSecurity supports automatic execution of this method at a regular interval by using SessionValidationSchedulers. The JSecurity default SecurityManager implementations needing session validation will create and use one by default if one is not provided by the application configuration.

Specified by:: validateSessions in interface ValidatingSessionManager

See Also:: ValidatingSessionManager.validateSessions()

getActiveSessions

protected abstract Collection<Session> getActiveSessions()

validateSession

public void validateSession(Serializable sessionId)