[
https://issues.apache.org/jira/browse/SHIRO-266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13058223#comment-13058223
]
Les Hazlewood commented on SHIRO-266:
-------------------------------------
Latest commit has the following changes:
- The DefaultSessionStorageEvaluator has been changed to allow usage of the
Session by default if one already exists. If one does not exist, only then is
the isSessionStorageEnabled() class-level property consulted. It didn't make
sense to not use the session if the application developer has already created
one (by calling subject.getSession() somewhere in their own code).
- New web-specific objects have been introduced to enable most web applications
to receive enabling/disabling benefits simply by request-specific
configuration. For example, a new 'NoSessionCreationFilter' has been
introduced (in the pool of Default Filters as 'noSession'). This can be used
in Shiro's filter chains, for example, in shiro.ini:
[urls]
/rest/** = noSession, authcBasic
The 'noSession' filter triggers logic that will prevent both Shiro and
application developers from calling subject.getSession() and
subject.getSession(true) for request patterns that should be stateless (no
sessions).
A new DefaultWebSessionStorageEvaluator has been introduced that retains the
DefaultSessionStorageEvaluator parent class logic, but will additionally look
for a request attribute (set by the 'noSession' filter) to trigger this
request-specific subject enable/disable logic. The DefaultWebSecurityManager
enables this DefaultWebSessionStorageEvaluator by default.
Finally, more unit tests have been added. DefaultWebSessionStorageEvaluator
has 100% method/line coverage.
> Login/Logout: Enable pluggable Subject state binding
> ----------------------------------------------------
>
> Key: SHIRO-266
> URL: https://issues.apache.org/jira/browse/SHIRO-266
> Project: Shiro
> Issue Type: Improvement
> Components: Session Management, Subject
> Affects Versions: 1.0.0, 1.1.0, 1.1.1
> Reporter: Les Hazlewood
> Assignee: Les Hazlewood
> Fix For: 1.2.0
>
>
> After login, a subject's state (principals, authentication state, etc) are
> bound to the Subject's session. This allows Shiro to reconstruct the Subject
> instance later on by acquiring a Session (e.g. by id) and reconstructing the
> Subject based on the Session's state.
> In stateless environments (e.g. some REST-enabled applications), it is not
> desirable to create a session. There should be a pluggable component that
> performs state binding and unbinding for subject login and logout,
> respectively. Stateless applications can choose to configure Shiro with a
> stateless binder if they don't want sessions to be created.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
