Shiro 提供了三个默认实现:
- DefaultSessionManager:DefaultSecurityManager 使用的默认实现,用于 JavaSE 环境;
- ServletContainerSessionManager:DefaultWebSecurityManager 使用的默认实现,用于 Web环境,其直接使用 Servlet 容器的会话;
- DefaultWebSessionManager : 用 于 Web 环 境 的 实 现 , 可 以 替 代ServletContainerSessionManager,自己维护着会话,直接废弃了 Servlet 容器的会话管理
我的驾驶舱项目中用的默认的ServletContainerSessionManager,在 Servlet 容器中,默认使用 JSESSIONID Cookie 维护会话,且会话默认是跟容器绑定的
org.apache.shiro.web.session.HttpServletSession继承org.apache.shiro.session.Session,含有javax.servlet.http.HttpSession域org.apache.shiro.web.servlet.ShiroHttpSession继承javax.servlet.http.HttpSession;含有org.apache.shiro.session.Session域
所以,
- 要么是使用shiro默认创建的Session的子类对象HttpServletSession,其中包含了HttpSession信息
- 要么是使用者重新创建HttpSession的子类对象ShiroHttpSession,其中包含了shiro的Session信息
ServletContainerSessionManager对应HttpServletSession
DefaultWebSessionManager对应ShiroHttpSession
HttpSession httpSession = request.getSession();
//SHIRO-240: DO NOT use the 'globalSessionTimeout' value here on the acquired session.
//see: https://issues.apache.org/jira/browse/SHIRO-240
String host = getHost(sessionContext);
return createSession(httpSession, host);
public HttpServletSession(HttpSession httpSession, String host) {
if (httpSession == null) {
String msg = "HttpSession constructor argument cannot be null.";
throw new IllegalArgumentException(msg);
}
if (httpSession instanceof ShiroHttpSession) {
String msg = "HttpSession constructor argument cannot be an instance of ShiroHttpSession. This " +
"is enforced to prevent circular dependencies and infinite loops.";
throw new IllegalArgumentException(msg);
}
this.httpSession = httpSession;
if (StringUtils.hasText(host)) {
setHost(host);
}
}
上两段代码,是默认情况下,利用HttpSession 构造HttpServletSession;
public ShiroHttpSession(Session session, HttpServletRequest currentRequest, ServletContext servletContext) {
if (session instanceof HttpServletSession) {
String msg = "Session constructor argument cannot be an instance of HttpServletSession. This is enforced to " +
"prevent circular dependencies and infinite loops.";
throw new IllegalArgumentException(msg);
}
this.session = session;
this.currentRequest = currentRequest;
this.servletContext = servletContext;
}
上述代码,利用shiro Session自建ShiroHttpSession(HttpSession)
package javax.servlet.http;
public interface HttpSession {
package org.apache.shiro.session;
public interface Session {