AuthenticationStrategy
implementations.Authenticator implementations that performs the common work around authentication
attempts.Realm that authenticates with an LDAP
server to build the Subject for a user.NativeSessionManager interface, supporting
SessionListeners and application of the
globalSessionTimeout.RememberMeManager interface that handles
serialization and
encryption of the remembered user identity.DefaultSerializer as the serializer and
an AesCipherService as the cipherService.SessionDAO implementation that performs some sanity checks on session creation and reading and
allows for pluggable Session ID generation strategies if desired.sessionIdGenerator to be a
JavaUuidSessionIdGenerator.SessionManager interface, enabling configuration of an
application-wide globalSessionTimeout.ValidatingSessionManager interface.AuthenticationInfo and
AuthorizationInfo and represents authentication and authorization for a single account in a
single Realm.shiro-activeSessionCache.Realm that authenticates with an active directory LDAP
server to determine the roles for a particular user.aggregate argument without modification.aggregate method argument is not null and
aggregate.singleRealmInfo into the
aggregateInfo and then returns the aggregate.info into the aggregate argument and returns it (just as the
parent implementation does), but additionally ensures the following:
if the Throwable argument is not null, re-throws it to immediately cancel the
authentication process, since this strategy requires all realms to authenticate successfully.CacheManager has been set and is available for use via the
getCacheManager() method.applyCacheManagerToRealms() to allow the
newly set CacheManager to be propagated to the internal collection of Realm
that would need to use it.super.afterCacheManagerSet() and then immediately calls
applyCacheManagerToSessionManager() to ensure the
CacheManager is applied to the SessionManager as necessary.CacheManager instance being set on the realm instance via the
CachingRealm.setCacheManager(org.apache.shiro.cache.CacheManager) mutator.EventBus has been set and is available for use
via the getEventBus() method.realms to the internal delegate Authenticator instance so
that it may use them during authentication attempts.super.afterRealmsSet() and then sets these same Realm objects on this
instance's wrapped Authorizer.true when matching credentials no matter what arguments
are passed in.implies method always returns true.AnnotationHandler who processes annotations of the
specified type.AnnotationMethodInterceptor with the
AnnotationHandler that will be used to process annotations of a
corresponding type.AnnotationMethodInterceptor with the
AnnotationHandler that will be used to process annotations of a
corresponding type, using the specified AnnotationResolver to acquire annotations
at runtime.methodInterceptors attribute to contain two interceptors by default - the
RoleAnnotationMethodInterceptor and the
PermissionAnnotationMethodInterceptor to
support role and permission annotations.CacheManager on any internal configured
Realms that implement the CacheManagerAware interface.SessionManager is injected with the newly set
CacheManager so it may use it for its internal caching needs.SessionManager is injected with the newly set
EventBus so it may use it for its internal event needs.ModularRealmAuthorizer.getPermissionResolver() on any internal configured
Realms that implement the PermissionResolverAware interface.ModularRealmAuthorizer.getRolePermissionResolver() on any internal configured
Realms that implement the RolePermissionResolverAware interface.methodInterceptors collection, and for each one,
ensures that if the interceptor
supports
the invocation, that the interceptor
asserts
that the invocation is authorized to proceed.Subject is authenticated, and if not, throws an
UnauthenticatedException indicating the method is not allowed to be executed.MethodInvocation.Subject is NOT a user, that is, they do not
have an identity before continuing.Subject has the Annotation's specified permissions, and if not, throws an
AuthorizingException indicating access is denied.Subject has the Annotation's specified roles, and if not, throws an
AuthorizingException indicating that access is denied.Subject is a user, that is, they are either
authenticated or remembered via remember
me services before allowing access, and if not, throws an
AuthorizingException indicating access is not allowed.AuthenticationToken's credentials match the stored account
AuthenticationInfo's credentials, and if not, throws an AuthenticationException.Authorizer implementation methods to ensure that the realms
has been set.Callable instance matching the given argument while additionally ensuring that it will
retain and execute under this Subject's identity.Runnable instance matching the given argument while additionally ensuring that it will
retain and execute under this Subject's identity.Runnable with the currently executing subject
and then return the associated Runnable.Authenticator interface that functions in the following manner:
Calls template doAuthenticate method for subclass execution of the actual
authentication behavior.AuthenticationToken.Authenticator for authentication.Subject being built will be considered
authenticated.RequiresAuthentication annotations and ensures the calling subject is
authenticated before allowing access.RequiresAuthentication annotations.RequiresAuthenticated annotation
is declared, and if so, ensures the calling
Subject.RequiresAuthentication annotations in a method
declaration.SecurityManager class hierarchy that delegates all
authentication operations to a wrapped Authenticator instance.authenticator instance to a
ModularRealmAuthenticator.AuthenticationInfo represents a Subject's (aka user's) stored account information relevant to the
authentication/log-in process only.AuthenticationListener listens for notifications while Subjects authenticate with the system.AuthenticationStrategy implementation assists the ModularRealmAuthenticator during the
log-in process in a pluggable realm (PAM) environment.AuthorizationInfo represents a single Subject's stored authorization data (roles, permissions, etc)
used during authorization (access control) checks only.AuthorizingAnnotationHandler who processes annotations of the
specified type.handler is set which will be used to perform the
authorization assertion checks when a supported annotation is encountered.AuthorizingRealm extends the AuthenticatingRealm's capabilities by adding Authorization
(access control) support.SecurityManager class hierarchy that delegates all
authorization (access control) operations to a wrapped Authorizer instance.ModularRealmAuthorizer.new SimpleAuthenticationInfo();, which supports
aggregating account data across realms.token - called before any Realm is actually invoked.null immediately, relying on this class's merge implementation to return
only the first info object it encounters, ignoring all subsequent ones.aggregate method argument, without modification.Realm supports the given
token argument.SessionListeners for notification
that the session has been invalidated (stopped or expired).save(subject).Subject and SecurityManager to the
ThreadContext so they can be retrieved later by any
SecurityUtils.Subject.Builder instance, using the SecurityManager instance available
to the calling code as determined by a call to SecurityUtils.getSecurityManager()
to build the Subject instance.Subject.Builder instance which will use the specified SecurityManager when
building the Subject instance.Subject instance reflecting the cumulative state acquired by the
other methods in this class.sessionId.sessionId.Realm interface that provides caching support for subclasses.cachingEnabled (for general caching) to true and sets a
default name based on the class name.Permission.implies(Permission) implies} the specified Permission.implies the specified Permission.implies all of the
specified permission strings.implies all of the
specified permission strings.implies all of the
specified permission strings.implies all of the
specified permission strings.AuthorizationException if they do not.AuthorizationException if they do not.AuthorizationException if they do not.checkRoles(PrincipalCollection subjectPrincipal, Collection<String> roleIdentifiers) but doesn't require a collection
as an argument.checkRole for each role specified.AuthorizationException if they do not.checkRoles(Collection roleIdentifiers) but
doesn't require a collection as a an argument.InvalidSessionException indicating that the session id is invalid.removes the ThreadContext state.ThreadContext state.Map used to construct the
Subject instance.cipherService is available, it will be used to first decrypt the byte array.AbstractSessionDAO.doCreate(org.apache.shiro.session.Session) method, and then
asserting that the returned sessionId is not null.super.create(session), then caches the session keyed by the returned sessionId, and then
returns this sessionId.AuthenticationInfo resulting from a Subject's successful LDAP authentication attempt.InitialLdapContext instance.InitialLdapContext instance.Realm from the Ini instance containing account data.Session Session instance based on the specified (possibly null)
initialization data.Session instance based on the specified contextual initialization data.SimpleSession instance retaining the context's
host if one can be found.Subject instance for the user represented by the given method arguments.SubjectContext is as populated as it can be, using heuristics to acquire
data that may not have already been available to it (such as a referenced session or remembered principals).Subject instance reflecting the specified contextual data.cipherService.30 minutes.JdbcRealm.saltStyle is COLUMN.SecurityManager instance may be acquired, equal to
securityManager.AbstractValidatingSessionManager.setSessionValidationInterval(long)AnnotationResolver implementation that merely inspects the
MethodInvocation's target method,
and returns targetMethod.Environment implementation that stores Shiro objects as key-value pairs in a
Map instance.ConcurrentHashMap backing map.JndiLdapContextFactory implementation. This implementation will be removed
prior to Shiro 2.0Realm implementation utilizing Sun's/Oracle's
JNDI API as an LDAP API.LdapContextFactory instance to a
JndiLdapContextFactory.PasswordService interface that relies on an internal
HashService, HashFormat, and HashFormatFactory to function:
Hashing Passwords
Comparing Passwords
All hashing operations are performed by the internal hashService.SecurityManager interface,
based around a collection of Realms.realms.SessionContext interface which provides getters and setters that
wrap interaction with the underlying backing context map.SessionKey interface, which allows setting and retrieval of a concrete
sessionId that the SessionManager implementation can use to look up a
Session instance.ValidatingSessionManager.SessionStorageEvaluator that provides reasonable control over if and how Sessions may be used for
storing Subject state.SubjectContext interface.SubjectDAO implementation that stores Subject state in the Subject's Session by default (but this
can be disabled - see below).SubjectFactory implementation that creates DelegatingSubject
instances.Session.Subject interface that delegates
method calls to an underlying SecurityManager instance for security checks.DefaultSecurityManager.logout(org.apache.shiro.subject.Subject)..Subject instance.CachingSessionDAO.doDelete(org.apache.shiro.session.Session).session.serializer's
deserialize method.cacheManager via LifecycleUtils.destroy.Subject
session, but that Subject's sessions are disabled.Realms.AuthenticatingRealm.clearCachedAuthenticationInfo(org.apache.shiro.subject.PrincipalCollection).super.doClearCache to ensure any cached authentication data is removed and then calls
AuthorizingRealm.clearCachedAuthorizationInfo(org.apache.shiro.subject.PrincipalCollection) to remove any cached
authorization data.Subject instance by delegating to the internal
subjectFactory.true always no matter what the method arguments are.true if the provided token credentials match the stored account credentials,
false otherwise.token's credentials, potentially using a
salt if the info argument is a
SaltedAuthenticationInfo.token's credentials
(via getCredentials(token))
and then the account's credentials
(via getCredentials(account)) and then passes both of
them to the equals(tokenCredentials, accountCredentials) method for equality
comparison.DefaultLdapRealm.queryForAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken, LdapContextFactory),
wrapping any NamingExceptions in a Shiro AuthenticationException to satisfy the parent method
signature.namepath against the given pattern.AuthenticationStrategy object
as each realm is consulted for AuthenticationInfo for the specified token.null if a
session with that ID could not be found.Session's state to the underlying EIS.ScheduledExecutorService to validate sessions at fixed intervals
and enables this scheduler.cipherService.SecurityManager instance in the context, and if not, adds 'this' to the
context.Environment instance encapsulates all of the objects that Shiro requires to function.Environment instances or configuration.true if the tokenCredentials argument is logically equal to the
accountCredentials argument.true if the specified object is also a SimpleAccount and its
principals are equal to this object's principals, false otherwise.true if the Object argument is an instanceof SimpleAuthenticationInfo and
its principals are equal to this instance's principals, false otherwise.Subject and then
dispatches the associated Runnable to the underlying target Executor instance.Callable with this Subject instance and then executes it on the
currently running thread.Runnable with this Subject instance and then executes it on the
currently running thread.Subject executes a
Callable.ScheduledExecutorService to call ValidatingSessionManager.validateSessions() every
interval milliseconds.AuthenticationStrategy implementation that only accepts the account data from
the first successfully consulted Realm and ignores all subsequent realms.Subject instance.UUID.Random's nextLong() invocation.Session instance.session instance.key that is bound to
the current thread.CacheManager.Annotation instance of the specified type based on the given
MethodInvocation argument, or null if no annotation
of that type could be found.methodInvocation.value, from which the Permission will be constructed.Cache instance to use for authentication caching, or null if no cache has been
set.AuthenticationInfo instances are cached if authentication caching is enabled.AuthenticationInfo instances are cached if authentication caching is enabled.Cache to lookup from any available cacheManager if
a cache is not explicitly configured via AuthenticatingRealm.setAuthenticationCache(org.apache.shiro.cache.Cache).AuthenticationInfo corresponding to the specified
AuthenticationToken argument.AuthenticationListeners that should be notified during authentication
attempts.AuthenticationStrategy utilized by this modular authenticator during a multi-realm
log-in attempt.Authenticator instance that this SecurityManager uses to perform all
authentication operations.principals,
or null if no account could be found.sessionId or null if there is
no session cached under that id (or if there is no Cache).activeSessionsCache if
one is not configured.CipherService to use for encrypting and decrypting serialized identity data to prevent easy
inspection of Subject identity data.account identity.Hash instance representing the already-hashed AuthenticationInfo credentials stored in the system.token's credentials.account's credentials.this.authcInfo.getCredentials.password char array.CredentialsMatcher used during an authentication attempt to verify submitted
credentials with those stored in the system.null if no salt was used.null if no salt
was used or credentials were not hashed at all.null if no salt was used or credentials were not
hashed at all.null if none should be used.LdapContext).EventBus used by this SecurityManager and potentially any of its children components.AnnotationHandler used to perform authorization behavior based on
an annotation discovered at runtime.Hash algorithmName to use
when performing hashes for credentials matching.AuthenticationToken's credentials will be hashed before
comparing to the credentials stored in the system.Subject is initiating the
Session.null
if the host is unknown.Subject's originating location.info.Session last interacted with the system.DefaultLdapContextFactory.getLdapContext(Object, Object) method should be used in all cases to ensure more than
String principals and credentials can be used. Shiro no longer calls this method - it will be
removed before the 2.0 release.JndiLdapContextFactory.getLdapContext(Object, Object) method should be used in all cases to ensure more than
String principals and credentials can be used. Shiro no longer calls this method - it will be
removed before the 2.0 release.LdapContextFactory.getLdapContext(Object, Object) method should be used in all cases to ensure more than
String principals and credentials can be used.LdapContext connection bound using the specified principal and
credentials.Method to be invoked.Realm.null if
no object with that name was found.Permissions assigned to the corresponding Subject.null
Subject before assuming the current
runAs identity, or null if this Subject is not operating under an assumed
identity (normal state).Realm principals, or null if there are
no principals yet.getUsername().null if this
Subject is anonymous because it doesn't yet have any associated account data (for example,
if they haven't logged in).PrincipalCollection or
null if this Subject is anonymous because it doesn't yet have any associated account data (for example,
if they haven't logged in).Subject should reflect.Authenticator during an authentication attempt.Authorizer which are consulted during an authorization check.Realms managed by this SecurityManager instance.JNDI name and returns all
discovered Realms in an ordered collection.Realm instances that will be used to construct
the application's SecurityManager instance.acquiring
the remembered serialized byte array.null if there is no available data.AnnotationResolver to use to acquire annotations from intercepted
methods at runtime.null
this.authzInfo.getRoles();AuthenticationInfo
returned from the Realm is a SaltedAuthenticationInfo instance and its
getCredentialsSalt() method returns a non-null value.
This method and the 1.0 behavior still exists for backwards compatibility if the Realm does not return
SaltedAuthenticationInfo instances, but it is highly recommended that Realm implementations
that support hashed credentials start returning SaltedAuthenticationInfo
instances as soon as possible.
This is because salts should always be obtained from the stored account information and
never be interpreted based on user/Subject-entered data. User-entered data is easier to compromise for
attackers, whereas account-unique (and secure randomly-generated) salts never disseminated to the end-user
are almost impossible to break. This method will be removed in Shiro 2.0.SecurityManager instance accessible in the backing map using the
securityManagerName property as the lookup key.SecurityManager instance.Subject instance or
null if one has not yet been provided to this context.SecurityManager instance in the backing map.Serializer used to serialize and deserialize PrincipalCollection instances for
persistent remember me storage.null if no Session could be found.Session associated with this Subject.Session associated with this Subject.Session to use when building the Subject instance.SessionFactory used to generate new Session instances.Subject instance.SessionIdGenerator used by the AbstractSessionDAO.generateSessionId(org.apache.shiro.session.Session)
method.SessionManager.SessionStorageEvaluator that will determine if a Subject's state may be persisted in
the Subject's session.Session started (was created).Subject associated with the currently-executing code.Subject associated with the currently-executing code.Executor instance.Subject available to the calling code depending on
runtime environment.Subject that may be in use at the time the new Subject instance is
being created.Subject instance managed by this ThreadState implementation.Subject instance, available to subclasses
since the context class attribute is marked as private.SubjectDAO responsible for persisting Subject state, typically used after login or when an
Subject identity is discovered (eg after RememberMe services).SubjectFactory responsible for creating Subject instances exposed to the application.JndiLdapContextFactory.getLdapContext(Object, Object) using the
systemUsername and systemPassword properties as
arguments.LdapContext connection bound using the system account, or
anonymously if no system account is configured.systemUsername that will be used when creating an
LDAP connection used for authorization queries.Session.getTimeout().get operation but additionally ensures that the value returned is of the specified
type.LdapContext from the LdapContextFactory.null if no
userDnTemplate has been configured.setUserDnTemplate JavaDoc for a full explanation.System.getProperty("java.version").RequiresGuest annotation
is declared, and if so, ensures the calling Subject does not
have an identity before invoking the method.RequiresGuest annotations in a method
declaration.RequiresGuest annotation
is declared, and if so, ensures the calling Subject does not
have an identity before invoking the method.RequiresGuest annotations in a method
declaration.true iff any of the configured realms'
ModularRealmAuthorizer.hasRole(org.apache.shiro.subject.PrincipalCollection, String) call returns true for
all roles specified, false otherwise.true if this Subject has all of the specified roles, false otherwise.principals are not null, returns principals.hashCode(), otherwise
returns 0 (zero).principals instance.HashedCredentialMatcher provides support for hashing of supplied AuthenticationToken credentials
before being compared to those in the AuthenticationInfo from the data store.hashAlgorithmName to hash submitted
credentials.HashingPasswordService is a PasswordService that performs password encryption and comparisons
based on cryptographic Hashes.token's credentials using the salt stored with the account if the
info instance is an instanceof SaltedAuthenticationInfo (see
the class-level JavaDoc for why this is the preferred approach).hashIterations times, using the given salt.true if any of the configured realms'
ModularRealmAuthorizer.hasRole(org.apache.shiro.subject.PrincipalCollection, String) call returns true,
false otherwise.true if this Subject has the specified role, false otherwise.ModularRealmAuthorizer.hasRole(org.apache.shiro.subject.PrincipalCollection, String) for each role name in the specified
collection and places the return value from each call at the respective location in the returned array.Subject being built will reflect the specified host name or IP as its originating
location.HostAuthenticationToken retains the host information from where
an authentication attempt originates.Session interface that proxies another Session, but does not
allow any 'write' operations to the underlying session.Session.true if this current instance implies all the functionality and/or resource access
described by the specified Permission argument, false otherwise.Environment mechanisms instead.Ini argument.Ini resolved from the specified
resourcePath.Environment mechanisms instead.PermissionResolver.resolvePermission(String) when the String being parsed is not
valid for that resolver.MethodInvocation, allowing implementations to perform pre/post/finally
surrounding the actual invocation.methodInvocation is allowed to execute first before proceeding by calling the
assertAuthorized method first.methodInvocation.true if this Subject/user proved their identity during their current session
by providing valid credentials matching those known to the system, false otherwise.true if the constructed Subject should be considered authenticated, false
otherwise.true if authentication caching should be utilized if a CacheManager has been
configured, false otherwise.true if authentication caching should be utilized based on the specified
AuthenticationToken and/or AuthenticationInfo, false otherwise.true if authorization caching should be utilized if a CacheManager has been
configured, false otherwise.true if sessions should be automatically deleted after they are discovered to be invalid,
false if invalid sessions will be manually deleted by some process external to Shiro's control.true if this collection is empty, false otherwise.true if this Scheduler is enabled and ready to begin validation at the appropriate time,
false otherwise.AuthenticationInfo
returned from the Realm is a SaltedAuthenticationInfo instance and its
getCredentialsSalt() method returns a non-null value.
This method and the 1.0 behavior still exists for backwards compatibility if the Realm does not return
SaltedAuthenticationInfo instances, but it is highly recommended that Realm implementations
that support hashed credentials start returning SaltedAuthenticationInfo
instances as soon as possible.
This is because salts should always be obtained from the stored account information and
never be interpreted based on user/Subject-entered data. User-entered data is easier to compromise for
attackers, whereas account-unique (and secure randomly-generated) salts never disseminated to the end-user
are almost impossible to break. This method will be removed in Shiro 2.0.true if this Account is locked and thus cannot be used to login, false otherwise.true if any of the configured realms'
ModularRealmAuthorizer.isPermitted(org.apache.shiro.subject.PrincipalCollection, String) returns true,
false otherwise.true if any of the configured realms'
ModularRealmAuthorizer.isPermitted(org.apache.shiro.subject.PrincipalCollection, Permission) call returns true,
false otherwise.true if any of the configured realms'
ModularRealmAuthorizer.isPermittedAll(org.apache.shiro.subject.PrincipalCollection, String...) call returns
true, false otherwise.true if any of the configured realms'
ModularRealmAuthorizer.isPermitted(org.apache.shiro.subject.PrincipalCollection, List) call returns true,
false otherwise.true if this Subject is permitted to perform an action or access a resource summarized by the
specified permission string.true if this Subject is permitted to perform an action or access a resource summarized by the
specified permission.true if any of the configured realms'
ModularRealmAuthorizer.isPermitted(org.apache.shiro.subject.PrincipalCollection, String) call returns true
for all of the specified string permissions, false otherwise.true if any of the configured realms'
ModularRealmAuthorizer.isPermitted(org.apache.shiro.subject.PrincipalCollection, Permission) call returns true
for all of the specified Permissions, false otherwise.true if this Subject implies all of the specified permission strings, false otherwise.true if this Subject implies all of the specified permissions, false otherwise.true if LDAP connection pooling should be used when acquiring a connection based on the specified
account principal, false otherwise.true if this Subject has an identity (it is not anonymous) and the identity
(aka principals) is remembered from a successful authentication during a previous
session.true if the submitting user wishes their identity (principal(s)) to be remembered
across sessions, false otherwise.true if this Subject is 'running as' another identity other than its original one or
false otherwise (normal Subject state).true if the constructed Subject should be allowed to create a session, false
otherwise.true if this Subject is allowed to create sessions, false otherwise.Session (typically because an application developer
has called subject.getSession() already), Shiro will use that existing session to store subject state.true if any Subject's Session may be used to persist that Subject's state,
false otherwise.true if the specified Subject's
session may be used to persist that Subject's
state, false otherwise.true if the system's stored credential hash is Hex encoded, false if it
is Base64 encoded.true if the associated session is valid (it exists and is not stopped nor expired),
false otherwise.SessionIdGenerator that generates String values of JDK UUID's as the session IDs.LdapContextFactory implementation using the default Sun/Oracle JNDI Ldap API, utilizing JNDI
environment properties and an InitialContext.environment template with
the contextFactoryClassName equal to
com.sun.jndi.ldap.LdapCtxFactory (the Sun/Oracle default) and the default
referral behavior to follow.DefaultLdapRealm, this class will be removed prior to 2.0jndiNames.LdapContext objects that are used by DefaultLdapRealms to
perform authentication attempts and query for authorization data.classpath:shiro.ini file, or null if
the file does not exist.AuthenticationToken argument, and if successful, constructs a
Subject instance representing the authenticated account's identity.authenticationToken, returning an updated Subject
instance reflecting the authenticated state if successful or throwing AuthenticationException if it is
not.Session and authorization data.SecurityManager instance in the backing map without performing any non-null guarantees.MapContext provides a common base for context-based data storage in a Map.true if the given source matches the specified pattern,
false otherwise.hashAlgorithmName property.hashAlgorithmName property.ConcurrentMap.AuthenticationInfo interface to be implemented by
classes that support merging with other AuthenticationInfo instances.AuthenticationInfo into this instance.info argument into the aggregate argument and then returns an
aggregate for continued use throughout the login process.aggregate instance if is non null and valid (that is, has principals and they are
not empty) immediately, or, if it is null or not valid, the info argument is returned instead.AuthenticationInfo into this Account.info argument and adds its principals and credentials into this instance.Subject.getPrincipals() with whatever may be in
any available session.ModularRealmAuthenticator delegates account lookups to a pluggable (modular) collection of
Realms.enables an
AtLeastOneSuccessfulStrategy by default.Realms during an authorization operation.Realms to consult during an authorization check.PrincipalCollection that allows modification.Native session manager is one that manages sessions natively - that is, it is directly responsible
for the creation, persistence and removal of Session instances and their
lifecycles.SubjectContext instance to be used to populate with subject contextual data that
will then be sent to the SecurityManager to create a new Subject instance.DefaultSubjectFactory.createSubject(org.apache.shiro.subject.SubjectContext) directly if you
need to instantiate a custom Subject class.AuthenticationListeners that
authentication failed for the
specified token which resulted in the specified ae exception.AuthenticationListeners that a
Subject has logged-out.SessionListeners that a Session has started.AuthenticationListeners that
authentication was successful for the specified token which resulted in the specified
info.value argument is not null.null if there are none
of the specified type.forgetting any
previously remembered identity.Subject has failed.notifyLogout to allow any registered listeners
to react to the logout.Subject logs-out of the system.Subject logs out of the system.super.onLogout(principals) to ensure a logout notification is issued, and for each
wrapped Realm that implements the LogoutAware interface, calls
((LogoutAware)realm).onLogout(principals) to allow each realm the opportunity to perform
logout/cleanup operations during an user-logout.forgets any previously stored identity and returns.Session.stop() or automatically upon a subject logging out.Subject has succeeded.forgetting any previously
stored identity.SecurityUtils and
ShiroException.CredentialsMatcher
interface and its supporting implementations.Realms).Permission
interface.Executor, ExecutorService,
and ScheduledExecutorService implementations for transparent
Subject association with threads in an asynchronous execution environment.SecurityManager interface and a default implementation
hierarchy for managing all aspects of Shiro's functionality in an application.Realm interface.Files or
text streams.SessionManager components supporting enterprise session management.Subject interface, the most important concept in
Shiro's API.org.apache.shiro.subject interfaces.CredentialsMatcher that employs best-practices comparisons for hashed text passwords.PasswordService supports common use cases when using passwords as a credentials mechanism.true if the submittedPlaintext password matches the existing savedPasswordHash,
false otherwise.true if the submittedPlaintext password matches the existing saved password,
false otherwise.RequiresPermissions annotation is
declared, and if so, performs a permission check to see if the calling Subject is allowed continued
access.RequiresPermissions annotations.RequiresPermissions annotation is declared, and if so, performs
a permission check to see if the calling Subject is allowed to call the method.RequiresPermissions annotations in a method declaration.PermisisonResolver resolves a String value and converts it into a
Permission instance.Subject.PrincipalMap is map of all of a subject's principals - its identifying attributes like username, userId,
etc.Subject being built will reflect the specified principals (aka identity).TextConfigurationRealm that defers all logic to the parent class, but just enables
Properties based configuration in addition to the parent class's String configuration.Session implementation that immediately delegates all corresponding calls to an
underlying proxied session instance.target.key to the current thread.AuthenticationInfo object by querying the active directory LDAP context for the
specified username.AuthenticationInfo object by querying the LDAP context for the
specified username.discovered principal and provided
credentials.AuthorizationInfo object by querying the active directory LDAP context for the
groups that a user is a member of.AuthorizationInfo object by querying the LDAP context for the
specified principal.AuthorizationInfo object by querying the LDAP context for the
specified principal.Random instance to generate random IDs.AbstractSessionDAO.doReadSession(java.io.Serializable) method.sessionId.Realm instances
in any manner desired.SecurityManager class hierarchy based around a collection of
Realms.PatternMatcher implementation that uses standard java.util.regex objects.#runAs runAs was called.converting them to a byte
array and then remembers that
byte array.AuthenticationToken that indicates if the user wishes their identity to be remembered across sessions.AbstractRememberMeManager.getRememberedSerializedIdentity(SubjectContext) method.key from the current
thread.Removes the underlying ThreadLocal from the thread.throws an InvalidSessionException in all
cases because this proxy is immutable.Session under the given attributeKey.key name.Class.Subject to have all of the
specified roles.WildcardPermission instance constructed based on the specified
permissionString.PrincipalCollection) for the context using heuristics.SecurityManager instance that should be used to back the constructed Subject
instance (typically used to support DelegatingSubject implementations).Session to ensure it may be referenced if necessary by the
invoked SubjectFactory that performs actual Subject construction.Removes all thread-state that was bound by this instance.bind was invoked.RequiresRoles annotation is declared, and if so, performs
a role check to see if the calling Subject is allowed to proceed.RequiresRoles annotations.RequiresRoles annotation is declared, and if so, performs
a role check to see if the calling Subject is allowed to invoke the method.RequiresRoles annotations in a method declaration.Permission instances.Binds the Subject thread state, executes the target Runnable and then guarantees
the previous thread state's restoration:
try {
threadState.session only
if sessionStorageEnabled(subject).session.SecurityManager executes all security operations for all Subjects (aka users) across a
single application.Subject for the calling code depending on runtime environment.principals by serializing them to a byte array by using the
serializer's serialize method.Session is a stateful data context associated with a single Subject (user, daemon process,
etc) who interacts with a software system over a period of time.Subject being built will use the specified Session instance.SessionContext is a 'bucket' of data presented to a SessionFactory which interprets
this data to construct Session instances.Session if one does not
already exist.Session access to an
EIS (Enterprise Information System).Session instances.SessionDAO
implementations.SessionKey is a key that allows look-up of any particular Session
instance.Session's life cycle.SessionListener interface, effectively providing
no-op implementations of all methods.Sessions.SecurityManager class hierarchy that delegates all
session operations to a wrapped
SessionManager instance.SessionManager delegate
instance.Subject's Session
to persist that Subject's internal state.CacheManager.throws an InvalidSessionException in all
cases because this proxy is immutable.value to the associated session uniquely identified by the attributeKey.value to this session, uniquely identified by the specified
key name.Subject instance should be considered as authenticated.Cache instance to use for authentication caching.Cache to lookup from any available cacheManager if
a cache is not explicitly configured via AuthenticatingRealm.setAuthenticationCache(org.apache.shiro.cache.Cache).CacheManager has been
configured, false otherwise.AuthenticationListeners that should be notified during authentication
attempts.AuthenticationStrategy utilized during multi-realm log-in attempts.Authenticator instance that this SecurityManager uses to perform all
authentication operations.CacheManager has been
configured, false otherwise.SecurityManager and potentially any of its
children components.activeSessionsCache if
one is not configured.CacheManager has been
configured.CipherService to use for encrypting and decrypting serialized identity data to prevent easy
inspection of Subject identity data.principals, such as a password or private key.null if no salt
is used or credentials are not hashed at all.null if no salt was used or credentials were not
hashed at all.SecurityManager and potentially any of its
children components.AnnotationHandler used to perform authorization behavior based on
an annotation discovered at runtime.Hash algorithmName to use
when performing hashes for credentials matching.AuthenticationToken's credentials will be hashed before comparing
to the credentials stored in the system.AuthenticationInfo
returned from the Realm is a SaltedAuthenticationInfo instance and its
getCredentialsSalt() method returns a non-null value.
This method and the 1.0 behavior still exists for backwards compatibility if the Realm does not return
SaltedAuthenticationInfo instances, but it is highly recommended that Realm implementations
that support hashed credentials start returning SaltedAuthenticationInfo
instances as soon as possible.
This is because salts should always be obtained from the stored account information and
never be interpreted based on user/Subject-entered data. User-entered data is easier to compromise for
attackers, whereas account-unique (and secure randomly-generated) salts never disseminated to the end-user
are almost impossible to break. This method will be removed in Shiro 2.0.Subject is initiating the
Session.Subject's originating location.Realm.LdapContextFactory implementation that is used to create LDAP connections for
authentication and authorization.WildcardPermission.PermissionResolver on all of the wrapped realms that
implement the PermissionResolverAware interface.Subject should reflect.LdapContextFactory.RealmSecurityManager.setRealms(java.util.Collection<org.apache.shiro.realm.Realm>) method.Authorizer which are consulted during an authorization check.AnnotationResolver to use to acquire annotations from intercepted
methods at runtime.RolePermissionResolver on all of the wrapped realms that
implement the PermissionResolverAware interface.LdapContextFactory.getSubject() implementation.Subject instance
(typically used to support DelegatingSubject implementations).SecurityManager instance in the backing map.Serializer used to serialize and deserialize PrincipalCollection instances for
persistent remember me storage.Session to use when building the Subject instance.Subject instance should be allowed to create a session,
false otherwise.SessionFactory used to generate new Session instances.Subject instance.SessionIdGenerator used by the AbstractSessionDAO.generateSessionId(org.apache.shiro.session.Session)
method.SessionManager instance that will be used to support this implementation's
SessionManager method calls.Session may be used to persist that Subject's state.SessionStorageEvaluator that will determine if a Subject's state may be persisted in
the Subject's session.setSessionValidationScheduler method is
never called) , this method allows one to specify how
frequently session should be validated (to check for orphans).Subject that may be in use at the time the new Subject instance is
being created.SubjectDAO responsible for persisting Subject state, typically used after login or when an
Subject identity is discovered (eg after RememberMe services).SubjectFactory responsible for creating Subject instances exposed to the application.LdapContextFactory.systemUsername that will be used when creating an
LDAP connection used for authorization queries.LdapContextFactory.throws an InvalidSessionException in all
cases because this proxy is immutable.LdapContextFactory.username = password, role1, role2,...hashAlgorithmName property.hashAlgorithmName property.hashAlgorithmName property.hashAlgorithmName property.true if the Ini contains account data and a Realm should be implicitly
created to reflect the account data, false if no realm should be implicitly
created.Account interface that
contains principal and credential and authorization information (roles and permissions) as instance variables and
exposes them via getters and setters using standard JavaBean notation.Realm interface that
uses a set of configured user accounts and roles to support authentication and authorization.MergableAuthenticationInfo interface that holds the principals and
credentials.AuthorizationInfo interface that stores roles and permissions as internal
attributes.MutablePrincipalCollection interface that tracks principals internally
by storing them in a LinkedHashMap.PrincipalMap interface.Session JavaBeans-compatible POJO implementation, intended to be used on the
business/server tier.SessionFactory implementation that generates SimpleSession instances.0 if the collection is null.0 if the map is null.throws an InvalidSessionException in all
cases because this proxy is immutable.Subject represents state and security operations for a single application user.Subject instances in a simplified way without
requiring knowledge of Shiro's construction techniques.ExecutorService implementation that will automatically first associate any argument
Runnable or Callable instances with the currently available subject and then
dispatch the Subject-enabled runnable or callable to an underlying delegate
ExecutorService instance.SubjectAwareExecutorService but additionally supports the
ScheduledExecutorService interface.SubjectContext is a 'bucket' of data presented to a SecurityManager which interprets
this data to construct Subject instances.SubjectDAO is responsible for persisting a Subject instance's internal state such that the Subject instance
can be recreated at a later time if necessary.SubjectFactory is responsible for constructing Subject instances as needed.SubjectRunnable ensures that a target/delegate Runnable will execute such that any
call to SecurityUtils.SubjectRunnable that, when executed, will execute the target delegate, but
guarantees that it will run associated with the specified Subject.SubjectRunnable that, when executed, will perform thread state
binding and guaranteed restoration before and after the
Runnable's execution, respectively.Subject access (supporting
SecurityUtils.SubjectThreadState that will bind and unbind the specified Subject to the
threadtrue if this interceptor supports, that is, should inspect, the specified
MethodInvocation, false otherwise.AuthenticationToken instance, false otherwise.ThreadState instance manages any state that might need to be bound and/or restored during a thread's
execution.InvalidSessionException indicating that this proxy is immutable.principals.toString() if they are not null, otherwise prints out the string
"empty"principals.toString()getClass().getName() + ",id=" + getId().throws an InvalidSessionException in all
cases because this proxy is immutable.sessionId.lastAccessTime of this session to the current time when
this method is invoked.SecurityManager instance, but Shiro's
lookup heuristics cannot find one.DefaultSecurityManager.delete(org.apache.shiro.subject.Subject)AuthenticationToken implementation is encountered that is not
supported by one or more configured Realms.CachingSessionDAO.doUpdate(org.apache.shiro.session.Session).{@link Session#getId() session.getId()}.RequiresUser annotation
is declared, and if so, ensures the calling Subject is either
authenticated or remembered via remember
me services before allowing access.RequiresUser annotations.RequiresUser annotation
is declared, and if so, ensures the calling Subject is either
authenticated or remembered via remember
me services before invoking the method.RequiresUser annotations in a method
declaration.host and a
rememberMe default of false.host and
a rememberMe default of false
This is a convenience constructor and maintains the password internally via a character
array, i.e.environment settings and throws an exception if a problem
exists.ValidatingSession is a Session that is capable of determining it is valid or not and
is able to validate itself if necessary.WildcardPermission is a very flexible permission construct supporting multiple levels of
permission matching.WildcardPermission
based on the input string.Copyright © 2004–2017 The Apache Software Foundation. All rights reserved.