You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by gembin <ge...@gmail.com> on 2015/09/23 19:55:13 UTC
What's the purpose of SubjectDAO?
Hi,
I'm new to Shiro and iI don't quite understand how SubjectDAO is used?
The JavaDoc and the interface signature of SubjectDAO.java
/A {@code SubjectDAO} is responsible for persisting a Subject instance's
internal state such that the Subject instance can be recreated at a later
time if necessary./
*Subject save(Subject subject);
void delete(Subject subject);*
I don't see how it can be recreated at a later time if necessary, since
there is no way to get a Subject after
persisted. The default the implementation is based on session, but how the
SecurityManager can use this interface if user provide a custom SubjectDAO ?
Thanks,
Bin
--
View this message in context: http://shiro-user.582556.n2.nabble.com/What-s-the-purpose-of-SubjectDAO-tp7580784.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: What's the purpose of SubjectDAO?
Posted by Lenny Primak <lp...@hope.nyc.ny.us>.
There must be some storage for the session.
For example, every web request comes with a session cookie,
which must be looked up somewhere and mapped into user's permissions, roles, other data etc.
You don't want to look it up in the DB every time, do you?
This data last as long as the user's web session (for example) lasts.
This "space" is what SessionDAO manages.
It could be an in-memory HashMap, distributed cache for failover / clustering / load balancing, etc.
SessionDAO is a facade for that. It has many implementations, i.e. in-memory, or some
other disk-optional object store, so if sessions outgrow memory, the program wouldn't crash
or the users won't be logged off for no reason.
Hope this clears things up for you.
On Sep 24, 2015, at 3:26 AM, gembin wrote:
>
> yes, i know how to customize a realm, but question is about SubjectDAO...
>
> So, SubjectDAO is trying to save a "transient" object, this doesn't make
> sense to me...
>
> I'm trying to learn shiro by reading the source code, and not quite
> understand this part.
>
> from the source code the default impl saves principals and authentication
> state in session,
> so, from implementor point of view, it's not so clear which information to
> be persisted for a subject.
>
> However the key point is: no way to restore a persisted subject.
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/What-s-the-purpose-of-SubjectDAO-tp7580784p7580789.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: What's the purpose of SubjectDAO?
Posted by gembin <ge...@gmail.com>.
yes, i know how to customize a realm, but question is about SubjectDAO...
So, SubjectDAO is trying to save a "transient" object, this doesn't make
sense to me...
I'm trying to learn shiro by reading the source code, and not quite
understand this part.
from the source code the default impl saves principals and authentication
state in session,
so, from implementor point of view, it's not so clear which information to
be persisted for a subject.
However the key point is: no way to restore a persisted subject.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/What-s-the-purpose-of-SubjectDAO-tp7580784p7580789.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: What's the purpose of SubjectDAO?
Posted by Lenny Primak <lp...@hope.nyc.ny.us>.
Subject is "transient", i.e a logged-in user.
You don't usually save a subject into the database.
The key to understanding Shiro is that the main customization point
is your own realm.
On Sep 23, 2015, at 11:05 PM, gembin wrote:
> Thanks a lot for the answer.
>
> What i means is after i saved the subject, e.g. in a database, how would the
> securityManager knows to
> get it back (restore a saved subject)? it only knows how to save and
> delete, because there is no such a SPI defined in the SubjectDAO to
> retrieve the subject object from the database or disk etc..
>
> I understand what this DAO is trying to do, but i don't understand how a
> custom implementation would work in case of saved in a disk or db etc.
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/What-s-the-purpose-of-SubjectDAO-tp7580784p7580787.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: What's the purpose of SubjectDAO?
Posted by gembin <ge...@gmail.com>.
Thanks a lot for the answer.
What i means is after i saved the subject, e.g. in a database, how would the
securityManager knows to
get it back (restore a saved subject)? it only knows how to save and
delete, because there is no such a SPI defined in the SubjectDAO to
retrieve the subject object from the database or disk etc..
I understand what this DAO is trying to do, but i don't understand how a
custom implementation would work in case of saved in a disk or db etc.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/What-s-the-purpose-of-SubjectDAO-tp7580784p7580787.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: What's the purpose of SubjectDAO?
Posted by Les Hazlewood <lh...@apache.org>.
The session is the default storage location for Subject state. Other
future or custom implementations could store it as a JWT inside a cookie
for example, or on disk, etc. It's really there to control how subject
state is persisted and allows you to specify your own mechanism if the
Shiro defaults do not meet your needs.
HTH,
--
Les
On Wed, Sep 23, 2015 at 10:57 AM, Lenny Primak <lp...@hope.nyc.ny.us>
wrote:
> It is a facade to save your subject in the session.
> Since Shiro can optionally implement it's own (not container) sessions,
> SubjectDAO is used to front that session functionality.
>
> On Sep 23, 2015, at 1:55 PM, gembin wrote:
>
> > Hi,
> >
> > I'm new to Shiro and iI don't quite understand how SubjectDAO is used?
> >
> > The JavaDoc and the interface signature of SubjectDAO.java
> >
> > /A {@code SubjectDAO} is responsible for persisting a Subject instance's
> > internal state such that the Subject instance can be recreated at a later
> > time if necessary./
> >
> > *Subject save(Subject subject);
> > void delete(Subject subject);*
> >
> > I don't see how it can be recreated at a later time if necessary, since
> > there is no way to get a Subject after
> > persisted. The default the implementation is based on session, but how
> the
> > SecurityManager can use this interface if user provide a custom
> SubjectDAO ?
> >
> > Thanks,
> > Bin
> >
> >
> >
> > --
> > View this message in context:
> http://shiro-user.582556.n2.nabble.com/What-s-the-purpose-of-SubjectDAO-tp7580784.html
> > Sent from the Shiro User mailing list archive at Nabble.com.
> >
>
>
Re: What's the purpose of SubjectDAO?
Posted by Lenny Primak <lp...@hope.nyc.ny.us>.
It is a facade to save your subject in the session.
Since Shiro can optionally implement it's own (not container) sessions,
SubjectDAO is used to front that session functionality.
On Sep 23, 2015, at 1:55 PM, gembin wrote:
> Hi,
>
> I'm new to Shiro and iI don't quite understand how SubjectDAO is used?
>
> The JavaDoc and the interface signature of SubjectDAO.java
>
> /A {@code SubjectDAO} is responsible for persisting a Subject instance's
> internal state such that the Subject instance can be recreated at a later
> time if necessary./
>
> *Subject save(Subject subject);
> void delete(Subject subject);*
>
> I don't see how it can be recreated at a later time if necessary, since
> there is no way to get a Subject after
> persisted. The default the implementation is based on session, but how the
> SecurityManager can use this interface if user provide a custom SubjectDAO ?
>
> Thanks,
> Bin
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/What-s-the-purpose-of-SubjectDAO-tp7580784.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>