shiro session HttpSession servlet session

Shiro 提供了三个默认实现：

1. DefaultSessionManager：DefaultSecurityManager 使用的默认实现，用于 JavaSE 环境；
2. ServletContainerSessionManager：DefaultWebSecurityManager 使用的默认实现，用于 Web环境，其直接使用 Servlet 容器的会话；
3. DefaultWebSessionManager ： 用 于 Web 环 境 的 实 现 ， 可 以 替 代ServletContainerSessionManager，自己维护着会话，直接废弃了 Servlet 容器的会话管理

我的驾驶舱项目中用的默认的ServletContainerSessionManager,在 Servlet 容器中，默认使用 JSESSIONID Cookie 维护会话，且会话默认是跟容器绑定的

org.apache.shiro.web.session.HttpServletSession继承org.apache.shiro.session.Session,含有javax.servlet.http.HttpSession域org.apache.shiro.web.servlet.ShiroHttpSession继承javax.servlet.http.HttpSession;含有org.apache.shiro.session.Session域

所以,

1. 要么是使用shiro默认创建的Session的子类对象HttpServletSession,其中包含了HttpSession信息
2. 要么是使用者重新创建HttpSession的子类对象ShiroHttpSession,其中包含了shiro的Session信息

ServletContainerSessionManager对应HttpServletSession

DefaultWebSessionManager对应ShiroHttpSession

        HttpSession httpSession = request.getSession();

        //SHIRO-240: DO NOT use the 'globalSessionTimeout' value here on the acquired session.
        //see: https://issues.apache.org/jira/browse/SHIRO-240

        String host = getHost(sessionContext);

        return createSession(httpSession, host);

public HttpServletSession(HttpSession httpSession, String host) {
        if (httpSession == null) {
            String msg = "HttpSession constructor argument cannot be null.";
            throw new IllegalArgumentException(msg);
        }
        if (httpSession instanceof ShiroHttpSession) {
            String msg = "HttpSession constructor argument cannot be an instance of ShiroHttpSession.  This " +
                    "is enforced to prevent circular dependencies and infinite loops.";
            throw new IllegalArgumentException(msg);
        }
        this.httpSession = httpSession;
        if (StringUtils.hasText(host)) {
            setHost(host);
        }
    }

  上两段代码,是默认情况下,利用HttpSession 构造HttpServletSession;

    public ShiroHttpSession(Session session, HttpServletRequest currentRequest, ServletContext servletContext) {
        if (session instanceof HttpServletSession) {
            String msg = "Session constructor argument cannot be an instance of HttpServletSession.  This is enforced to " +
                    "prevent circular dependencies and infinite loops.";
            throw new IllegalArgumentException(msg);
        }
        this.session = session;
        this.currentRequest = currentRequest;
        this.servletContext = servletContext;
    }

 上述代码,利用shiro Session自建ShiroHttpSession(HttpSession)

package javax.servlet.http;

public interface HttpSession {

package org.apache.shiro.session;


public interface Session {