You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Eustas <al...@gmail.com> on 2013/04/26 17:40:43 UTC
How generate session id and maintain session
I cannot find complete example how to use shiro for session management.
Can anyone help?
I have to adjust interahction between rest client and Spring application
through shiro.
REST client send the request including login-password.
Shiro gets this request and should to create session for this client.
After that shiro has to send back session id to client.
Client sends next request including sessionid. Shiro has to find his session
by this id.
I found this tutor:
http://shiro.apache.org/session-management.html
I read this:
Serializable sessionId = //get from the inbound request or remote method
invocation payload
Subject requestSubject = new
Subject.Builder().sessionId(sessionId).buildSubject();
But what is it - searching the session by given id? So how to create first
time session and generate id for it?
Is there full example?
Thanks.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/How-generate-session-id-and-maintain-session-tp7578665.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: How generate session id and maintain session
Posted by Les Hazlewood <lh...@apache.org>.
Hiya,
It's not recommended to use sessions in REST APIs if you can avoid it.
They should ideally be stateless if possible, expecting the client to
supply identity information on every request (e.g. HTTP Basic over TLS or
OAuth, etc).
That being said, if you use the ShiroFilter in your Spring application, you
don't have to worry about this at all - Shiro will create a session for you
when the user logs in and set the JSESSIONID cookie. As long as the client
sends back that JSESSIONID cookie value on every request, the current
Subject will reflect the remote user correctly.
http://shiro.apache.org/spring.html#Spring-WebApplications
Once the ShiroFilter is configured to 'sit in front of' your other servlet
filters, all you have to do is call subject.login or subject.getSession()
and the cookie will be created for you.
The client then needs to send back that cookie with all subsequent requests.
HTH,
--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
On Fri, Apr 26, 2013 at 8:40 AM, Eustas <al...@gmail.com> wrote:
> I cannot find complete example how to use shiro for session management.
> Can anyone help?
> I have to adjust interahction between rest client and Spring application
> through shiro.
> REST client send the request including login-password.
> Shiro gets this request and should to create session for this client.
> After that shiro has to send back session id to client.
> Client sends next request including sessionid. Shiro has to find his
> session
> by this id.
> I found this tutor:
> http://shiro.apache.org/session-management.html
> I read this:
> Serializable sessionId = //get from the inbound request or remote method
> invocation payload
> Subject requestSubject = new
> Subject.Builder().sessionId(sessionId).buildSubject();
>
> But what is it - searching the session by given id? So how to create first
> time session and generate id for it?
> Is there full example?
> Thanks.
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/How-generate-session-id-and-maintain-session-tp7578665.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: How generate session id and maintain session
Posted by Les Hazlewood <lh...@apache.org>.
If you're using Spring, there is no need to use INI configuration.
Shiro's INI configuration mechanism is provided as a 'poor man's
dependency injection' solution if you do not already have one more
powerful at your disposal (like Spring, Guice, Tapestry, etc).
Configure everything in Spring and web.xml as
http://shiro.apache.org/spring.html#Spring-WebApplications shows and
you should be fine.
There is no need to build a Subject - the ShiroFilter (that you
configure in Spring and is accessed via the DelegatingFilterProxy)
will automatically build, bind and unbind the subject during the
request for you.
Additionally, for REST URL endpoints, you'll likely want to configure
the 'filterChainDefinitions' property on the ShiroFilterFactoryBean in
your Spring config. Have your REST endpoints apply the
'noSessionCreation' filter. For example:'
<bean id="shiroFilter"
class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
...
<property name="filterChainDefinitions">
<value>
/rest/** = ssl,authc,noSessionCreation
</value>
</property>
...
</bean>
(the filterChainDefinitions property on the ShiroFilterFactoryBean
serves the same purpose as the [urls] section in the INI config).
This will prevent REST endpoints from creating sessions, which is
usually a good thing (enforces your REST endpoints are stateless).
This does require the REST caller to authenticate every request, but
this is very common in REST APIs - most clients are expected to set
the Authorization header on every request.
Finally, note that in the example above, the noSessionCreation filter
just prevents _new_ sessions from being created. Users with existing
sessions that have already authenticated (e.g. via a user interface)
are still permitted to access those REST endpoints because - as the
filter chain states - they're already authenticated and no new session
needs to be created. This is usually a desired behavior for most
REST-enabled apps that I've seen.
HTH,
--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
On Sat, Apr 27, 2013 at 4:28 AM, Eustas <al...@gmail.com> wrote:
> Thank you for help.
> But I still have not clear understanding how it should be implemented in
> full circle.
> There http://shiro.apache.org/spring.html#Spring-WebApplications
> I see only the short description what settings should be done.
> This is my settings:
> shiro.ini :
> *[main]
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
> securityManager.sessionManager = $sessionManager
> sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
> # This is the default value. Change it if your CacheManager configured a
> different name:
> sessionDAO.activeSessionsCacheName = shiro-activeSessionsCache
> # Now have the native SessionManager use that DAO:
> securityManager.sessionManager.sessionDAO = $sessionDAO
> cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
> # Configure the above CacheManager on Shiro's SecurityManager
> # to use it for all of Shiro's caching needs:
> securityManager.cacheManager = $cacheManager
> appRealm=com.deviq.banq.engine.shiro.AppRealm
> securityManager.realms = $appRealm
> [users]
> admin=admin,ROLE_ADMIN
> [roles]
> ROLE_ADMIN = **
> As you see I want to use shiro's native session and ehcache.
>
> My web.xml in shiro part:
> <filter>
> <filter-name>shiroFilter</filter-name>
>
> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
> <init-param>
> <param-name>targetFilterLifecycle</param-name>
> <param-value>true</param-value>
> </init-param>
> </filter>
>
> <filter>
> <filter-name>securityFilter</filter-name>
>
> <filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter-class>
>
> </filter>
>
> <filter-mapping>
> <filter-name>securityFilter</filter-name>
> <url-pattern>/*</url-pattern>
> <dispatcher>REQUEST</dispatcher>
> <dispatcher>FORWARD</dispatcher>
> <dispatcher>INCLUDE</dispatcher>
> </filter-mapping>
>
> <filter-mapping>
> <filter-name>shiroFilter</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
>
> As you see the filters are embedded to chain.
>
>
> I'll try to describe the task step by step.
> It is stateless interaction, so I have login form.
> Should I still use the shiro filter?
>
> 1. REST client wants to access to some method of server.
> It sends request including login-password (simple case).
>
> 2.Server gets request, takes login-password and try to verify it.
> I just take the login-password from request on server side (String login,
> String password) and going to verify it by hand.
> I want to request the database about this user.
> Should I to implement it by myself or there is some predefined shiro
> class to fulfill such check?
>
> 3. Shiro creates session.
> You wrote
> /Shiro will create a session for you when the user logs in and set the
> JSESSIONID cookie. As long as the client sends back that JSESSIONID cookie
> value on every request, the current Subject will reflect the remote user
> correctly./
> *What settings specifically should be done for creating session? Or you
> wrote about web app and it's applicable only to web app having login form?
> Probably for stateless interaction I should create this session by using
> some code like
> Subject requestSubject = new
> Subject.Builder().sessionId(sessionId).buildSubject()?*
>
>
> 4. Server gets the SESSIONID and sends it back to client.
> *What way can I access to this just created session?
> What way I can obtain this SESSIONID (for sending it back to client)? *
>
> 5.Client includes session id to every next request. Server finds the
> specific for this client session by this id.
> *What way I can to find session by SESSIONID?*
>
> I did not find the complete code example. I did not find answers for these
> questions.
> Could you provide code example.
>
> I hope for your help.
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/How-generate-session-id-and-maintain-session-tp7578665p7578671.html
> Sent from the Shiro User mailing list archive at Nabble.com.
Re: How generate session id and maintain session
Posted by Eustas <al...@gmail.com>.
Thank you for help.
But I still have not clear understanding how it should be implemented in
full circle.
There http://shiro.apache.org/spring.html#Spring-WebApplications
I see only the short description what settings should be done.
This is my settings:
shiro.ini :
*[main]
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
# This is the default value. Change it if your CacheManager configured a
different name:
sessionDAO.activeSessionsCacheName = shiro-activeSessionsCache
# Now have the native SessionManager use that DAO:
securityManager.sessionManager.sessionDAO = $sessionDAO
cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
# Configure the above CacheManager on Shiro's SecurityManager
# to use it for all of Shiro's caching needs:
securityManager.cacheManager = $cacheManager
appRealm=com.deviq.banq.engine.shiro.AppRealm
securityManager.realms = $appRealm
[users]
admin=admin,ROLE_ADMIN
[roles]
ROLE_ADMIN = **
As you see I want to use shiro's native session and ehcache.
My web.xml in shiro part:
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter>
<filter-name>securityFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>securityFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
As you see the filters are embedded to chain.
I'll try to describe the task step by step.
It is stateless interaction, so I have login form.
Should I still use the shiro filter?
1. REST client wants to access to some method of server.
It sends request including login-password (simple case).
2.Server gets request, takes login-password and try to verify it.
I just take the login-password from request on server side (String login,
String password) and going to verify it by hand.
I want to request the database about this user.
Should I to implement it by myself or there is some predefined shiro
class to fulfill such check?
3. Shiro creates session.
You wrote
/Shiro will create a session for you when the user logs in and set the
JSESSIONID cookie. As long as the client sends back that JSESSIONID cookie
value on every request, the current Subject will reflect the remote user
correctly./
*What settings specifically should be done for creating session? Or you
wrote about web app and it's applicable only to web app having login form?
Probably for stateless interaction I should create this session by using
some code like
Subject requestSubject = new
Subject.Builder().sessionId(sessionId).buildSubject()?*
4. Server gets the SESSIONID and sends it back to client.
*What way can I access to this just created session?
What way I can obtain this SESSIONID (for sending it back to client)? *
5.Client includes session id to every next request. Server finds the
specific for this client session by this id.
*What way I can to find session by SESSIONID?*
I did not find the complete code example. I did not find answers for these
questions.
Could you provide code example.
I hope for your help.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/How-generate-session-id-and-maintain-session-tp7578665p7578671.html
Sent from the Shiro User mailing list archive at Nabble.com.