Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
JSecurity
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

org.jsecurity.web.session
Class DefaultWebSessionManager

java.lang.Object
  extended by org.jsecurity.session.mgt.AbstractSessionManager
      extended by org.jsecurity.session.mgt.AbstractValidatingSessionManager
          extended by org.jsecurity.session.mgt.DefaultSessionManager
              extended by org.jsecurity.web.session.DefaultWebSessionManager
All Implemented Interfaces:
CacheManagerAware, SessionManager, ValidatingSessionManager, SessionListenerRegistrar, Destroyable, WebSessionManager
public class DefaultWebSessionManager
extends DefaultSessionManager
implements WebSessionManager

Web-application capable SessionManager implementation.

Since:
0.9
Author:
Les Hazlewood

Field Summary
protected  CookieAttribute<Serializable> sessionIdCookieAttribute
           
protected  RequestParamAttribute<Serializable> sessionIdRequestParamAttribute
           
 
Fields inherited from class org.jsecurity.session.mgt.DefaultSessionManager
sessionDAO
 
Fields inherited from class org.jsecurity.session.mgt.AbstractValidatingSessionManager
DEFAULT_GLOBAL_SESSION_TIMEOUT, DEFAULT_SESSION_VALIDATION_INTERVAL, globalSessionTimeout, MILLIS_PER_HOUR, MILLIS_PER_MINUTE, MILLIS_PER_SECOND, sessionValidationInterval, sessionValidationScheduler, sessionValidationSchedulerEnabled
 
Fields inherited from class org.jsecurity.session.mgt.AbstractSessionManager
listeners
 
Constructor Summary
DefaultWebSessionManager()
           
 
Method Summary
protected  Session doGetSession(ServletRequest request, ServletResponse response)
           
protected  void ensureCookieSessionIdStore()
           
protected  void ensureRequestParamSessionIdStore()
           
 Session getSession(ServletRequest request, ServletResponse response)
          Returns the Session associated with the specified request if it is valid or null if a Session doesn't exist or it was invalid.
 CookieAttribute<Serializable> getSessionIdCookieAttribute()
           
 RequestParamAttribute<Serializable> getSessionIdRequestParamAttribute()
           
protected  Session handleInvalidSession(ServletRequest request, ServletResponse response, InvalidSessionException ise)
           
 boolean isValidateRequestOrigin()
          If set to true, this implementation will ensure that any HttpRequest attempting to join a session (i.e. via getSession must have the same IP Address of the HttpRequest that started the session.
protected  void onStop(Session session)
           
 Session retrieveSession(Serializable sessionId)
           
protected  Serializable retrieveSessionId(ServletRequest request, ServletResponse response)
           
 void setSessionIdCookieAttribute(CookieAttribute<Serializable> sessionIdCookieAttribute)
           
 void setSessionIdCookieMaxAge(int maxAge)
           
 void setSessionIdCookieName(String name)
           
 void setSessionIdCookiePath(String path)
           
 void setSessionIdCookieSecure(boolean secure)
           
 void setSessionIdRequestParamAttribute(RequestParamAttribute<Serializable> sessionIdRequestParamAttribute)
           
 void setValidateRequestOrigin(boolean validateRequestOrigin)
          Sets whether or not a request's origin will be validated when accessing a session.
 Serializable start(InetAddress hostAddress)
          Starts a new session within the system for the host with the specified originating IP address.
protected  Serializable start(ServletRequest request, ServletResponse response, InetAddress inetAddress)
           
protected  void storeSessionId(Serializable currentId, ServletRequest request, ServletResponse response)
           
protected  void validateSessionOrigin(ServletRequest request, Session session)
           
 
Methods inherited from class org.jsecurity.session.mgt.DefaultSessionManager
create, doCreateSession, getActiveSessions, getSessionDAO, newSessionInstance, onChange, onExpiration, setCacheManager, setSessionDAO
 
Methods inherited from class org.jsecurity.session.mgt.AbstractValidatingSessionManager
afterSessionValidationEnabled, beforeSessionValidationDisabled, createSession, createSessionValidationScheduler, destroy, disableSessionValidation, doGetSession, enableSessionValidation, enableSessionValidationIfNecessary, getGlobalSessionTimeout, getSessionValidationInterval, getSessionValidationScheduler, getTimeout, isSessionValidationSchedulerEnabled, setGlobalSessionTimeout, setSessionValidationInterval, setSessionValidationScheduler, setSessionValidationSchedulerEnabled, validate, validateSession, validateSessions
 
Methods inherited from class org.jsecurity.session.mgt.AbstractSessionManager
add, beforeInvalidNotification, getAttribute, getAttributeKeys, getHostAddress, getLastAccessTime, getSession, getStartTimestamp, getTimeout, isValid, notifyExpiration, notifyStart, notifyStop, remove, removeAttribute, setAttribute, setSessionListeners, setTimeout, stop, stop, touch
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 
Methods inherited from interface org.jsecurity.session.mgt.SessionManager
getAttribute, getAttributeKeys, getHostAddress, getLastAccessTime, getStartTimestamp, getTimeout, isValid, removeAttribute, setAttribute, setTimeout, stop, touch
 

Field Detail

sessionIdCookieAttribute

protected CookieAttribute<Serializable> sessionIdCookieAttribute

sessionIdRequestParamAttribute

protected RequestParamAttribute<Serializable> sessionIdRequestParamAttribute
Constructor Detail

DefaultWebSessionManager

public DefaultWebSessionManager()
Method Detail

getSessionIdCookieAttribute

public CookieAttribute<Serializable> getSessionIdCookieAttribute()

setSessionIdCookieAttribute

public void setSessionIdCookieAttribute(CookieAttribute<Serializable> sessionIdCookieAttribute)

getSessionIdRequestParamAttribute

public RequestParamAttribute<Serializable> getSessionIdRequestParamAttribute()

setSessionIdRequestParamAttribute

public void setSessionIdRequestParamAttribute(RequestParamAttribute<Serializable> sessionIdRequestParamAttribute)

isValidateRequestOrigin

public boolean isValidateRequestOrigin()
If set to true, this implementation will ensure that any HttpRequest attempting to join a session (i.e. via getSession must have the same IP Address of the HttpRequest that started the session.

If set to false, any HttpRequest with a reference to a valid session id may acquire that Session.

Although convenient, this should only be enabled in environments where the system can guarantee that each IP address represents one and only one machine accessing the system.

Public websites are not good candidates for enabling this feature since many browser clients often sit behind NAT routers (in which case many machines are viewed to come from the same IP, thereby making this validation check useless). Also, some internet service providers (e.g. AOL) may change a client's IP in mid-session, making subsequent requests appear to come from a different location. Again, this feature should only be enabled where IP Addresses can be guaranteed a 1-to-1 relationship with a user's session.

For the reasons specified above, this property is false by default.

Returns:
true if this factory will verify each HttpRequest joining a session

setValidateRequestOrigin

public void setValidateRequestOrigin(boolean validateRequestOrigin)
Sets whether or not a request's origin will be validated when accessing a session. See the isValidateRequestOrigin() JavaDoc for an in-depth explanation of this property.

Parameters:
validateRequestOrigin - whether or not to validate the request's origin when accessing a session.
See Also:
isValidateRequestOrigin()

setSessionIdCookieName

public void setSessionIdCookieName(String name)

setSessionIdCookiePath

public void setSessionIdCookiePath(String path)

setSessionIdCookieMaxAge

public void setSessionIdCookieMaxAge(int maxAge)

setSessionIdCookieSecure

public void setSessionIdCookieSecure(boolean secure)

ensureCookieSessionIdStore

protected void ensureCookieSessionIdStore()

ensureRequestParamSessionIdStore

protected void ensureRequestParamSessionIdStore()

validateSessionOrigin

protected void validateSessionOrigin(ServletRequest request,
                                     Session session)
                              throws HostUnauthorizedException
Throws:
HostUnauthorizedException

storeSessionId

protected void storeSessionId(Serializable currentId,
                              ServletRequest request,
                              ServletResponse response)

retrieveSessionId

protected Serializable retrieveSessionId(ServletRequest request,
                                         ServletResponse response)

start

public Serializable start(InetAddress hostAddress)
                   throws HostUnauthorizedException,
                          IllegalArgumentException
Description copied from interface: SessionManager
Starts a new session within the system for the host with the specified originating IP address.

Note: see the SessionFactory.init(InetAddress) method about the implications of using InetAddresses in access control policies.

Specified by:
start in interface SessionManager
Overrides:
start in class AbstractSessionManager
Parameters:
hostAddress - the originating host InetAddress of the external party (user, 3rd party product, etc) that is attempting to interact with the system.
Returns:
the system identifier of the newly created session.
Throws:
HostUnauthorizedException - if the host specified is not allowed to start sessions.
IllegalArgumentException - if the host specified is not valid.
See Also:
SessionFactory.start(InetAddress)

start

protected Serializable start(ServletRequest request,
                             ServletResponse response,
                             InetAddress inetAddress)

retrieveSession

public Session retrieveSession(Serializable sessionId)
                        throws InvalidSessionException,
                               AuthorizationException
Overrides:
retrieveSession in class DefaultSessionManager
Throws:
InvalidSessionException
AuthorizationException

getSession

public final Session getSession(ServletRequest request,
                                ServletResponse response)
                         throws InvalidSessionException,
                                AuthorizationException
Returns the Session associated with the specified request if it is valid or null if a Session doesn't exist or it was invalid.

Specified by:
getSession in interface WebSessionManager
Parameters:
request - incoming servlet request
response - outgoing servlet response
Returns:
the Session associated with the incoming request or null if one does not exist.
Throws:
InvalidSessionException - if the associated Session has expired prior to invoking this method.
AuthorizationException - if the caller is not authorized to access the session associated with the request.

doGetSession

protected Session doGetSession(ServletRequest request,
                               ServletResponse response)

handleInvalidSession

protected Session handleInvalidSession(ServletRequest request,
                                       ServletResponse response,
                                       InvalidSessionException ise)

onStop

protected void onStop(Session session)
Overrides:
onStop in class DefaultSessionManager
Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
JSecurity
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
Copyright © 2004-2008 JSecurity.