Example usage for org.apache.shiro.subject.support DefaultSubjectContext SESSION_CREATION_ENABLED

List of usage examples for org.apache.shiro.subject.support DefaultSubjectContext SESSION_CREATION_ENABLED

  1. HOME
  2. Java
  3. org.apache.shiro
  4. org.apache.shiro.subject.support.*
  5. DefaultSubjectContext
  6. SESSION_CREATION_ENABLED

Introduction

In this page you can find the example usage for org.apache.shiro.subject.support DefaultSubjectContext SESSION_CREATION_ENABLED.

Prototype

String SESSION_CREATION_ENABLED

To view the source code for org.apache.shiro.subject.support DefaultSubjectContext SESSION_CREATION_ENABLED.

Click Source Link

Usage

From source file:org.sonatype.nexus.security.authc.NexusBasicHttpAuthenticationFilter.java

License:Open Source License

/**
 * Disable session creation for all BASIC auth requests.
 *///from w  w  w  .ja v  a2 s  .co m
@Override
public boolean onPreHandle(final ServletRequest request, final ServletResponse response,
        final Object mappedValue) throws Exception {
    // Basic auth should never create sessions
    request.setAttribute(DefaultSubjectContext.SESSION_CREATION_ENABLED, Boolean.FALSE);

    return super.onPreHandle(request, response, mappedValue);
}

From source file:org.sonatype.nexus.security.filter.authc.NexusHttpAuthenticationFilter.java

License:Open Source License

/**
 * TODO: consider moving this to a new filter, and chain them together
 */// www. ja va  2 s. com
protected boolean executeAnonymousLogin(ServletRequest request, ServletResponse response) {
    getLogger().debug("Attempting to authenticate Subject as Anonymous request...");

    boolean anonymousLoginSuccessful = false;

    Subject subject = getSubject(request, response);

    // disable the session creation for the anon user.
    request.setAttribute(DefaultSubjectContext.SESSION_CREATION_ENABLED, Boolean.FALSE);

    UsernamePasswordToken usernamePasswordToken = new UsernamePasswordToken(
            getSecuritySystem().getAnonymousUsername(), getSecuritySystem().getAnonymousPassword());

    try {
        request.setAttribute(ANONYMOUS_LOGIN, Boolean.TRUE);

        subject.login(usernamePasswordToken);
        anonymousLoginSuccessful = true;
    } catch (UnknownSessionException e) {
        Session anonSession = subject.getSession(false);

        this.getLogger().debug(
                "Unknown session exception while logging in anonymous user: '{}' with principal '{}'",
                new Object[] { anonSession, usernamePasswordToken.getUsername(), e });

        if (anonSession != null) {
            // clear the session
            this.getLogger().debug("Logging out the current anonymous user, to clear the session.");
            try {
                subject.logout();
            } catch (UnknownSessionException expectedException) {
                this.logger.trace(
                        "Forced a logout with an Unknown Session so the current subject would get cleaned up.",
                        e);
            }

            // login again
            this.getLogger().debug("Attempting to login as anonymous for the second time.");
            subject.login(usernamePasswordToken);

            anonymousLoginSuccessful = true;
        }
    } catch (AuthenticationException ae) {
        getLogger().info("Unable to authenticate user [anonymous] from IP Address "
                + RemoteIPFinder.findIP((HttpServletRequest) request));

        getLogger().debug("Unable to log in subject as anonymous", ae);
    }

    if (anonymousLoginSuccessful) {
        getLogger().debug("Successfully logged in as anonymous");
        return true;
    }

    // always default to false. If we've made it to this point in the code, that
    // means the authentication attempt either never occured, or wasn't successful:
    return false;
}