Stateless pages and sessions

[Tauren Mills <ta...@tauren.com>]

I'm hoping someone can help me to understand how Shiro works with web
sessions.  If I'm using shiro native sessions in a web application, will a
regular web session still get created? Is it possible to have each request
use a temporary web session?

In my wicket app, I'm looking into using stateless pages.  Wicket supports
deferred session creation: as long as the page doesn't have any components
on it that require state to be maintained, no session will be created.
Details available here:
https://cwiki.apache.org/WICKET/stateless-pages.html

But if I'm using Shiro, will a session be created on these stateless pages
anyway?

Tauren

Re: Add Session Listeners to Shiro

[Aleksey Didik <di...@magenta-technology.ru>]

Thanks, Les, for so detailed answer!


26.05.2010 20:54, Les Hazlewood пишет:
> Because the Servlet API does not have the notion of a global
> SessionListener construct as Shiro does, you first have to ensure that
> you're using native sessions:
>
> defaultWebSecurityManager.setSessionMode(DefaultWebSecurityManager.NATIVE_SESSION_MODE);
>
> After you've made this call, then you can do the following:
>
> ((AbstractNativeSessionManager)defaultWebSecurityManager.getSessionManager()).setSessionListeners(mySessionListenerList);
>
> If it is possible to use the INI config, I highly recommend it as it
> will often simplify your config efforts (no need to cast classes,
> etc).  Here is the above w/ INI config:
>
> [main]
> sessionListener1 = com.my.session.listener.Implementation
> # as many SessionListeners as you want ...
> sessionListenerN = com.my.other.session.listener.Implementation
>
> securityManager.sessionMode = native
> securityManager.sessionManager.sessionListeners = $sessionListener1,
> ..., $sessionListenerN
>
> Also note that INI config does not need to be embedded in web.xml if
> you don't want it to be.  The IniShiroFilter supports an alternative
> 'configPath' init-param that allows you to specify any location you
> want using classpath:, file: or url: prefixes to point to any of those
> respective resource locations.
>
> Cheers,
>
> Les
>
> On Wed, May 26, 2010 at 1:10 AM, Aleksey Didik
> <di...@magenta-technology.ru>  wrote:
>    
>> Hello all,
>> I'm tring to find the way to attach some session listeners to my security
>> manager.
>> I use Shiro in my web app and use DefaultWebSecurityManager.
>> But I configure it manually, not with ini in web.xml.
>>
>> Please, help :)
>>
>> Best regards,
>> Aleksey.
>>
>>      
>    

Re: Add Session Listeners to Shiro

[Les Hazlewood <lh...@apache.org>]

Because the Servlet API does not have the notion of a global
SessionListener construct as Shiro does, you first have to ensure that
you're using native sessions:

defaultWebSecurityManager.setSessionMode(DefaultWebSecurityManager.NATIVE_SESSION_MODE);

After you've made this call, then you can do the following:

((AbstractNativeSessionManager)defaultWebSecurityManager.getSessionManager()).setSessionListeners(mySessionListenerList);

If it is possible to use the INI config, I highly recommend it as it
will often simplify your config efforts (no need to cast classes,
etc).  Here is the above w/ INI config:

[main]
sessionListener1 = com.my.session.listener.Implementation
# as many SessionListeners as you want ...
sessionListenerN = com.my.other.session.listener.Implementation

securityManager.sessionMode = native
securityManager.sessionManager.sessionListeners = $sessionListener1,
..., $sessionListenerN

Also note that INI config does not need to be embedded in web.xml if
you don't want it to be.  The IniShiroFilter supports an alternative
'configPath' init-param that allows you to specify any location you
want using classpath:, file: or url: prefixes to point to any of those
respective resource locations.

Cheers,

Les

On Wed, May 26, 2010 at 1:10 AM, Aleksey Didik
<di...@magenta-technology.ru> wrote:
> Hello all,
> I'm tring to find the way to attach some session listeners to my security
> manager.
> I use Shiro in my web app and use DefaultWebSecurityManager.
> But I configure it manually, not with ini in web.xml.
>
> Please, help :)
>
> Best regards,
> Aleksey.
>

Add Session Listeners to Shiro

[Aleksey Didik <di...@magenta-technology.ru>]

Hello all,
I'm tring to find the way to attach some session listeners to my 
security manager.
I use Shiro in my web app and use DefaultWebSecurityManager.
But I configure it manually, not with ini in web.xml.

Please, help :)

Best regards,
Aleksey.

Re: Stateless pages and sessions

[Les Hazlewood <lh...@apache.org>]

Hi Tauren,

Shiro implements the Servlet specification for its native sessions -
so if Wicket (or anything else) calls request.getSession() (aka
getSession(true)) a new session will be created.  Otherwise, a new
session won't be created unless:

- You (or a framework) invoke request.getSession() or request.getSession(true)
- A subject successfully logs in via subject.login, at which point a
session is created to store authentication state.
- A 'remember me' identity is discovered, at which point the identity
is stored in the session to prevent unnecessary continuous cookie
reads later on.

Shiro's native web sessions bypass the servlet container entirely, so
servlet container session won't get started unless something in front
of the Shiro filter starts one.  That's why it is highly recommended
to have the Shiro filter sit in front of all other filters to ensure
nothing can create or use disjoint sessions for a single request.

HTH,

Les

On Thu, May 20, 2010 at 3:18 PM, Tauren Mills <ta...@tauren.com> wrote:
> I'm hoping someone can help me to understand how Shiro works with web
> sessions.  If I'm using shiro native sessions in a web application, will a
> regular web session still get created? Is it possible to have each request
> use a temporary web session?
> In my wicket app, I'm looking into using stateless pages.  Wicket supports
> deferred session creation: as long as the page doesn't have any components
> on it that require state to be maintained, no session will be created.
> Details available here:
> https://cwiki.apache.org/WICKET/stateless-pages.html
> But if I'm using Shiro, will a session be created on these stateless pages
> anyway?
> Tauren
>
>