Package org.apache.shiro.session.mgt

Class DelegatingSession

  • All Implemented Interfaces:
    Serializable, Session
    public class DelegatingSession
extends Object
implements Session, Serializable
    A DelegatingSession is a client-tier representation of a server side Session. This implementation is basically a proxy to a server-side NativeSessionManager, which will return the proper results for each method call.

    A DelegatingSession will cache data when appropriate to avoid a remote method invocation, only communicating with the server when necessary.

    Of course, if used in-process with a NativeSessionManager business POJO, as might be the case in a web-based application where the web classes and server-side business pojos exist in the same JVM, a remote method call will not be incurred.

    Since:
    0.1
    See Also:
    Serialized Form

    • Method Detail

      • getId

        public Serializable getId()
        Description copied from interface: Session
        Returns the unique identifier assigned by the system upon session creation.

        All return values from this method are expected to have proper toString(), equals(), and hashCode() implementations. Good candidates for such an identifier are UUIDs, Integers, and Strings.

        Specified by:
        getId in interface Session
        Returns:
        The unique identifier assigned to the session upon creation.
        See Also:
        Session.getId()

      • getStartTimestamp

        public Date getStartTimestamp()
        Description copied from interface: Session
        Returns the time the session was started; that is, the time the system created the instance.
        Specified by:
        getStartTimestamp in interface Session
        Returns:
        The time the system created the session.
        See Also:
        Session.getStartTimestamp()

      • getLastAccessTime

        public Date getLastAccessTime()
        Description copied from interface: Session
        Returns the last time the application received a request or method invocation from the user associated with this session. Application calls to this method do not affect this access time.
        Specified by:
        getLastAccessTime in interface Session
        Returns:
        The time the user last interacted with the system.
        See Also:
        Session.getLastAccessTime()

      • getTimeout

        public long getTimeout()
                throws InvalidSessionException
        Description copied from interface: Session
        Returns the time in milliseconds that the session session may remain idle before expiring.
        • A negative return value means the session will never expire.
        • A non-negative return value (0 or greater) means the session expiration will occur if idle for that length of time.
        *Note: if you are used to the HttpSession's getMaxInactiveInterval() method, the scale on this method is different: Shiro Sessions use millisecond values for timeout whereas HttpSession.getMaxInactiveInterval uses seconds. Always use millisecond values with Shiro sessions.
        Specified by:
        getTimeout in interface Session
        Returns:
        the time in milliseconds the session may remain idle before expiring.
        Throws:
        InvalidSessionException - if the session has been stopped or expired prior to calling this method.

      • setTimeout

        public void setTimeout​(long maxIdleTimeInMillis)
                throws InvalidSessionException
        Description copied from interface: Session
        Sets the time in milliseconds that the session may remain idle before expiring.
        • A negative value means the session will never expire.
        • A non-negative value (0 or greater) means the session expiration will occur if idle for that length of time.

        *Note: if you are used to the HttpSession's getMaxInactiveInterval() method, the scale on this method is different: Shiro Sessions use millisecond values for timeout whereas HttpSession.getMaxInactiveInterval uses seconds. Always use millisecond values with Shiro sessions.

        Specified by:
        setTimeout in interface Session
        Parameters:
        maxIdleTimeInMillis - the time in milliseconds that the session may remain idle before expiring.
        Throws:
        InvalidSessionException - if the session has been stopped or expired prior to calling this method.

      • getHost

        public String getHost()
        Description copied from interface: Session
        Returns the host name or IP string of the host that originated this session, or null if the host is unknown.
        Specified by:
        getHost in interface Session
        Returns:
        the host name or IP string of the host that originated this session, or null if the host address is unknown.

      • touch

        public void touch()
           throws InvalidSessionException
        Description copied from interface: Session
        Explicitly updates the lastAccessTime of this session to the current time when this method is invoked. This method can be used to ensure a session does not time out.

        Most programmers won't use this method directly and will instead rely on the last access time to be updated automatically as a result of an incoming web request or remote procedure call/method invocation.

        However, this method is particularly useful when supporting rich-client applications such as Java Web Start app, Java or Flash applets, etc. Although rare, it is possible in a rich-client environment that a user continuously interacts with the client-side application without a server-side method call ever being invoked. If this happens over a long enough period of time, the user's server-side session could time-out. Again, such cases are rare since most rich-clients frequently require server-side method invocations.

        In this example though, the user's session might still be considered valid because the user is actively "using" the application, just not communicating with the server. But because no server-side method calls are invoked, there is no way for the server to know if the user is sitting idle or not, so it must assume so to maintain session integrity. This touch() method could be invoked by the rich-client application code during those times to ensure that the next time a server-side method is invoked, the invocation will not throw an ExpiredSessionException. In short terms, it could be used periodically to ensure a session does not time out.

        How often this rich-client "maintenance" might occur is entirely dependent upon the application and would be based on variables such as session timeout configuration, usage characteristics of the client application, network utilization and application server performance.

        Specified by:
        touch in interface Session
        Throws:
        InvalidSessionException - if this session has stopped or expired prior to calling this method.
        See Also:
        Session.touch()

      • stop

        public void stop()
          throws InvalidSessionException
        Description copied from interface: Session
        Explicitly stops (invalidates) this session and releases all associated resources.

        If this session has already been authenticated (i.e. the Subject that owns this session has logged-in), calling this method explicitly might have undesired side effects:

        It is common for a Subject implementation to retain authentication state in the Session. If the session is explicitly stopped by application code by calling this method directly, it could clear out any authentication state that might exist, thereby effectively "unauthenticating" the Subject.

        As such, you might consider logging-out the 'owning' Subject instead of manually calling this method, as a log out is expected to stop the corresponding session automatically, and also allows framework code to execute additional cleanup logic.

        Specified by:
        stop in interface Session
        Throws:
        InvalidSessionException - if this session has stopped or expired prior to calling this method.
        See Also:
        Session.stop()

      • getAttribute

        public Object getAttribute​(Object attributeKey)
                    throws InvalidSessionException
        Description copied from interface: Session
        Returns the object bound to this session identified by the specified key. If there is no object bound under the key, null is returned.
        Specified by:
        getAttribute in interface Session
        Parameters:
        attributeKey - the unique name of the object bound to this session
        Returns:
        the object bound under the specified key name or null if there is no object bound under that name.
        Throws:
        InvalidSessionException - if this session has stopped or expired prior to calling this method.
        See Also:
        Session.getAttribute(Object key)

      • setAttribute

        public void setAttribute​(Object attributeKey,
                         Object value)
                  throws InvalidSessionException
        Description copied from interface: Session
        Binds the specified value to this session, uniquely identified by the specified key name. If there is already an object bound under the key name, that existing object will be replaced by the new value.

        If the value parameter is null, it has the same effect as if removeAttribute was called.

        Specified by:
        setAttribute in interface Session
        Parameters:
        attributeKey - the name under which the value object will be bound in this session
        value - the object to bind in this session.
        Throws:
        InvalidSessionException - if this session has stopped or expired prior to calling this method.
        See Also:
        Session.setAttribute(Object key, Object value)