shiro-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lhazlew...@apache.org
Subject svn commit: r795434 - in /incubator/shiro/trunk: core/src/main/java/org/apache/shiro/session/ core/src/main/java/org/apache/shiro/session/mgt/ core/src/test/java/org/apache/shiro/session/mgt/ web/src/main/java/org/apache/shiro/web/servlet/ web/src/test...
Date Sat, 18 Jul 2009 21:33:34 GMT
Author: lhazlewood
Date: Sat Jul 18 21:33:31 2009
New Revision: 795434

URL: http://svn.apache.org/viewvc?rev=795434&view=rev
Log:
AbstractSessionManager#applyGlobalSessionTimeout was not persisting the session timeout change
back to the persistent store - fixed this.  Also modified documentation.  Also added 'updateSessionLastAccessTime'
to the ShiroFilter to ensure that the sessions' lastAccessTime was accurately being updated
for 'native' (non servlet container) sessions.

Modified:
    incubator/shiro/trunk/core/src/main/java/org/apache/shiro/session/Session.java
    incubator/shiro/trunk/core/src/main/java/org/apache/shiro/session/mgt/AbstractSessionManager.java
    incubator/shiro/trunk/core/src/test/java/org/apache/shiro/session/mgt/DelegatingSessionTest.java
    incubator/shiro/trunk/web/src/main/java/org/apache/shiro/web/servlet/ShiroFilter.java
    incubator/shiro/trunk/web/src/test/java/org/apache/shiro/web/DefaultWebSecurityManagerTest.java

Modified: incubator/shiro/trunk/core/src/main/java/org/apache/shiro/session/Session.java
URL: http://svn.apache.org/viewvc/incubator/shiro/trunk/core/src/main/java/org/apache/shiro/session/Session.java?rev=795434&r1=795433&r2=795434&view=diff
==============================================================================
--- incubator/shiro/trunk/core/src/main/java/org/apache/shiro/session/Session.java (original)
+++ incubator/shiro/trunk/core/src/main/java/org/apache/shiro/session/Session.java Sat Jul
18 21:33:31 2009
@@ -58,7 +58,8 @@
     Date getStartTimestamp();
 
     /**
-     * Returns the last time the user associated with the session interacted with the system.
+     * Returns the last time the application received a request or method invocation from
the user associated
+     * with this session.  Application calls to this method do not affect this access time.
      *
      * @return The time the user last interacted with the system.
      * @see #touch()
@@ -114,10 +115,10 @@
      * Explicitly updates the {@link #getLastAccessTime() lastAccessTime} of this session
to the current time when
      * this method is invoked.  This method can be used to ensure a session does not time
out.
      * <p/>
-     * Most programmers won't use this method explicitly and will instead rely calling the
other Session methods
-     * to update the time transparently, or on a framework during a remote procedure call
or upon a web request.
+     * Most programmers won't use this method directly and will instead rely on the last
access time to be updated
+     * automatically as a result of an incoming web request or remote procedure call/method
invocation.
      * <p/>
-     * This method is particularly useful however when supporting rich-client applications
such as
+     * However, this method is particularly useful when supporting rich-client applications
such as
      * Java Web Start appp, Java or Flash applets, etc.  Although rare, it is possible in
a rich-client
      * environment that a user continuously interacts with the client-side application without
a
      * server-side method call ever being invoked.  If this happens over a long enough period
of
@@ -128,7 +129,7 @@
      * the user is actively &quot;using&quot; the application, just not communicating
with the
      * server. But because no server-side method calls are invoked, there is no way for the
server
      * to know if the user is sitting idle or not, so it must assume so to maintain session
-     * integrity.  The touch method could be invoked by the rich-client application code
during those
+     * integrity.  This {@code touch()} method could be invoked by the rich-client application
code during those
      * times to ensure that the next time a server-side method is invoked, the invocation
will not
      * throw an {@link ExpiredSessionException ExpiredSessionException}.  In short terms,
it could be used periodically
      * to ensure a session does not time out.
@@ -138,8 +139,7 @@
      * usage characteristics of the client application, network utilization and application
server
      * performance.
      *
-     * @throws InvalidSessionException if this session has stopped or expired prior to calling
-     *                                 this method.
+     * @throws InvalidSessionException if this session has stopped or expired prior to calling
this method.
      */
     void touch() throws InvalidSessionException;
 

Modified: incubator/shiro/trunk/core/src/main/java/org/apache/shiro/session/mgt/AbstractSessionManager.java
URL: http://svn.apache.org/viewvc/incubator/shiro/trunk/core/src/main/java/org/apache/shiro/session/mgt/AbstractSessionManager.java?rev=795434&r1=795433&r2=795434&view=diff
==============================================================================
--- incubator/shiro/trunk/core/src/main/java/org/apache/shiro/session/mgt/AbstractSessionManager.java
(original)
+++ incubator/shiro/trunk/core/src/main/java/org/apache/shiro/session/mgt/AbstractSessionManager.java
Sat Jul 18 21:33:31 2009
@@ -121,6 +121,7 @@
 
     protected void applyGlobalSessionTimeout(Session session) {
         session.setTimeout(getGlobalSessionTimeout());
+        onChange(session);
     }
 
     /**

Modified: incubator/shiro/trunk/core/src/test/java/org/apache/shiro/session/mgt/DelegatingSessionTest.java
URL: http://svn.apache.org/viewvc/incubator/shiro/trunk/core/src/test/java/org/apache/shiro/session/mgt/DelegatingSessionTest.java?rev=795434&r1=795433&r2=795434&view=diff
==============================================================================
--- incubator/shiro/trunk/core/src/test/java/org/apache/shiro/session/mgt/DelegatingSessionTest.java
(original)
+++ incubator/shiro/trunk/core/src/test/java/org/apache/shiro/session/mgt/DelegatingSessionTest.java
Sat Jul 18 21:33:31 2009
@@ -44,11 +44,11 @@
         Serializable origId = session.getId();
         assertEquals(session.getTimeout(), AbstractSessionManager.DEFAULT_GLOBAL_SESSION_TIMEOUT);
         session.setTimeout(100);
-        assertEquals(session.getTimeout(), 100);
-        sleep(100);
+        assertEquals(100, session.getTimeout());
+        sleep(150);
         //now the underlying session should have been expired and a new one replaced by default.
         //so ensure the replaced session has the default session timeout:
-        assertEquals(session.getTimeout(), AbstractSessionManager.DEFAULT_GLOBAL_SESSION_TIMEOUT);
+        assertEquals(AbstractSessionManager.DEFAULT_GLOBAL_SESSION_TIMEOUT, session.getTimeout());
         assertFalse(origId.equals(session.getId())); //new ID would have been generated
     }
 

Modified: incubator/shiro/trunk/web/src/main/java/org/apache/shiro/web/servlet/ShiroFilter.java
URL: http://svn.apache.org/viewvc/incubator/shiro/trunk/web/src/main/java/org/apache/shiro/web/servlet/ShiroFilter.java?rev=795434&r1=795433&r2=795434&view=diff
==============================================================================
--- incubator/shiro/trunk/web/src/main/java/org/apache/shiro/web/servlet/ShiroFilter.java
(original)
+++ incubator/shiro/trunk/web/src/main/java/org/apache/shiro/web/servlet/ShiroFilter.java
Sat Jul 18 21:33:31 2009
@@ -22,6 +22,8 @@
 import org.apache.shiro.config.Configuration;
 import org.apache.shiro.config.ConfigurationException;
 import org.apache.shiro.mgt.SecurityManager;
+import org.apache.shiro.session.Session;
+import org.apache.shiro.subject.Subject;
 import org.apache.shiro.util.ClassUtils;
 import org.apache.shiro.util.LifecycleUtils;
 import static org.apache.shiro.util.StringUtils.clean;
@@ -517,6 +519,35 @@
     }
 
     /**
+     * Updates any 'native'  Session's last access time that might exist to the timestamp
when this method is called.
+     * If native sessions are not enabled (that is, standard Servlet container sessions are
being used) or there is no
+     * session ({@code subject.getSession(false) == null}), this method does nothing.
+     * <p/>This method implementation merely calls
+     * <code>Session.{@link org.apache.shiro.session.Session#touch() touch}()</code>
on the session. 
+     *
+     * @param request  incoming request - ignored, but available to subclasses that might
wish to override this method
+     * @param response outgoing response - ignored, but available to subclasses that might
wish to override this method
+     * @since 1.0
+     */
+    protected void updateSessionLastAccessTime(ServletRequest request, ServletResponse response)
{
+        if (!isHttpSessions()) { //'native' sessions
+            Subject subject = getSecurityManager().getSubject();
+            //Subject should never _ever_ be null, but just in case:
+            if (subject != null) {
+                Session session = subject.getSession(false);
+                if (session != null) {
+                    try {
+                        session.touch();
+                    } catch (Throwable t) {
+                        log.error("session.touch() method invocation has failed.  Unable
to update" +
+                                "the corresponding session's last access time based on the
incoming request.", t);
+                    }
+                }
+            }
+        }
+    }
+
+    /**
      * {@code doFilterInternal} implementation that sets-up, executes, and cleans-up a Shiro-filtered
request.  It
      * performs the following ordered operations:
      * <ol>
@@ -526,6 +557,9 @@
      * the outgoing {@code ServletResponse} for use during Shiro's processing</li>
      * <li>{@link #bind(ServletRequest,ServletResponse) Binds} the request/response
pair
      * and associated data to the currently executing thread for use during processing</li>
+     * <li>{@link #updateSessionLastAccessTime(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
Updates}
+     * any associated session's {@link org.apache.shiro.session.Session#getLastAccessTime()
lastAccessTime} to ensure
+     * session timeouts are honored</li>
      * <li>{@link #executeChain(ServletRequest,ServletResponse,FilterChain) Executes}
      * the appropriate {@code FilterChain}</li>
      * <li>{@link #unbind(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
Unbinds} the request/response
@@ -551,6 +585,7 @@
         bind(request, response);
 
         try {
+            updateSessionLastAccessTime(request, response);
             executeChain(request, response, chain);
         } finally {
             unbind(request, response);

Modified: incubator/shiro/trunk/web/src/test/java/org/apache/shiro/web/DefaultWebSecurityManagerTest.java
URL: http://svn.apache.org/viewvc/incubator/shiro/trunk/web/src/test/java/org/apache/shiro/web/DefaultWebSecurityManagerTest.java?rev=795434&r1=795433&r2=795434&view=diff
==============================================================================
--- incubator/shiro/trunk/web/src/test/java/org/apache/shiro/web/DefaultWebSecurityManagerTest.java
(original)
+++ incubator/shiro/trunk/web/src/test/java/org/apache/shiro/web/DefaultWebSecurityManagerTest.java
Sat Jul 18 21:33:31 2009
@@ -91,7 +91,7 @@
         assertEquals(session.getTimeout(), globalTimeout);
         session.setTimeout(100);
         assertEquals(session.getTimeout(), 100);
-        sleep(100);
+        sleep(150);
         //now the underlying session should have been expired and a new one replaced by default.
         //so ensure the replaced session has the default session timeout:
         assertEquals(session.getTimeout(), globalTimeout);



Mime
View raw message