shiro的session都是存在缓存中的,所有会有一个sessionDAO的类来做CRUD操作,这个类就是org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO。
它继承了CachingSessionDAO这个类,而这个类又是AbstractSessionDAO的子类和CacheManagerAware的实现类,源码如下:
public class EnterpriseCacheSessionDAO extends CachingSessionDAO {
public EnterpriseCacheSessionDAO() {
setCacheManager(new AbstractCacheManager() {
@Override
protected Cache<Serializable, Session> createCache(String name) throws CacheException {
return new MapCache<Serializable, Session>(name, new ConcurrentHashMap<Serializable, Session>());
}
});
}
protected Serializable doCreate(Session session) {
Serializable sessionId = generateSessionId(session);
assignSessionId(session, sessionId);
return sessionId;
}
protected Session doReadSession(Serializable sessionId) {
return null; //should never execute because this implementation relies on parent class to access cache, which
//is where all sessions reside - it is the cache implementation that determines if the
//cache is memory only or disk-persistent, etc.
}
protected void doUpdate(Session session) {
//does nothing - parent class persists to cache.
}
protected void doDelete(Session session) {
//does nothing - parent class removes from cache.
}
}从源码可以看出doReadSession、doUpdate和doDelete方法没有实体代码。我们自己的类继承EnterpriseCacheSessionDAO并重写相应的方法即可:
package org.liuyuantao.kms.shiro;
import org.apache.shiro.session.Session;
import org.apache.shiro.session.mgt.ValidatingSession;
import org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.transaction.annotation.Transactional;
import java.io.Serializable;
import java.util.List;
@Transactional
public class CustomSessionDAO extends EnterpriseCacheSessionDAO {
@Autowired
private JdbcTemplate jdbcTemplate;
@Override
protected Serializable doCreate(Session session) {
Serializable sessionId = generateSessionId(session);
assignSessionId(session, sessionId);
String sql = "insert into app_session(id, session) values(?,?)";
jdbcTemplate.update(sql, sessionId,
SerializableUtils.serialize(session));
return session.getId();
}
@Override
protected Session doReadSession(Serializable sessionId) {
String sql = "select session from app_session where id=?";
List<String> sessionStrList = jdbcTemplate.queryForList(sql,
String.class, sessionId);
if (sessionStrList.size() == 0)
return null;
return SerializableUtils.deserialize(sessionStrList.get(0));
}
@Override
protected void doUpdate(Session session) {
if (session instanceof ValidatingSession
&& !((ValidatingSession) session).isValid()) {
return;
}
String sql = "update app_session set session=? where id=?";
jdbcTemplate.update(sql, SerializableUtils.serialize(session),
session.getId());
}
@Override
protected void doDelete(Session session) {
String sql = "delete from app_session where id=?";
jdbcTemplate.update(sql, session.getId());
}
}
Spring的配置文件添加bean的配置:
<!-- Session ID 生成器-->
<bean id="sessionIdGenerator"
class="org.apache.shiro.session.mgt.eis.JavaUuidSessionIdGenerator"/>
<!-- Session DAO. 继承 EnterpriseCacheSessionDAO -->
<bean id="sessionDAO"
class="org.liuyuantao.kms.shiro.CustomSessionDAO">
<property name="activeSessionsCacheName" value="shiro-activeSessionCache"/>
<property name="sessionIdGenerator" ref="sessionIdGenerator"/>
</bean>
<!-- 会话管理器-->
<bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
<property name="globalSessionTimeout" value="1800000"/>
<property name="deleteInvalidSessions" value="true"/>
<property name="sessionDAO" ref="sessionDAO"/>
<property name="sessionValidationSchedulerEnabled" value="true"/>
</bean>这里要特别注意下sessionManager的class,web应用的话最好使用DefaultWebSessionManager,如果使用DefaultWebSessionManager的父类DefaultSessionManager,可能会出现一些想不到的后果,比如使用kaptcha来实现验证码的时候一直是验证码不正确,因为session的上下文不是在web环境...
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
