org.apache.shiro.session.mgt.ValidatingSessionManager Maven / Gradle / Ivy
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.shiro.session.mgt;
/**
* A ValidatingSessionManager is a SessionManager that can proactively validate any or all sessions
* that may be expired.
*
* @since 0.1
*/
public interface ValidatingSessionManager extends SessionManager {
/**
* Performs session validation for all open/active sessions in the system (those that
* have not been stopped or expired), and validates each one. If a session is
* found to be invalid (e.g. it has expired), it is updated and saved to the EIS.
*
* This method is necessary in order to handle orphaned sessions and is expected to be run at
* a regular interval, such as once an hour, once a day or once a week, etc.
* The "best" frequency to run this method is entirely dependent upon the application
* and would be based on factors such as performance, average number of active users, hours of
* least activity, and other things.
*
* Most enterprise applications use a request/response programming model.
* This is obvious in the case of web applications due to the HTTP protocol, but it is
* equally true of remote client applications making remote method invocations. The server
* essentially sits idle and only "works" when responding to client requests and/or
* method invocations. This type of model is particularly efficent since it means the
* security system only has to validate a session during those cases. Such
* "lazy" behavior enables the system to lie stateless and/or idle and only incur
* overhead for session validation when necessary.
*
* However, if a client forgets to log-out, or in the event of a server failure, it is
* possible for sessions to be orphaned since no further requests would utilize that session.
* Because of these lower-probability cases, it might be required to regularly clean-up the sessions
* maintained by the system, especially if sessions are backed by a persistent data store.
*
* Even in applications that aren't primarily based on a request/response model,
* such as those that use enterprise asynchronous messaging (where data is pushed to
* a client without first receiving a client request), it is almost always acceptable to
* utilize this lazy approach and run this method at defined interval.
*
* Systems that want to proactively validate individual sessions may simply call the
* {@link #getSession(SessionKey) getSession(SessionKey)} method on any
* {@code ValidatingSessionManager} instance as that method is expected to
* validate the session before retrieving it. Note that even with proactive calls to {@code getSession},
* this {@code validateSessions()} method should be invoked regularly anyway to guarantee no
* orphans exist.
*
* Note: Shiro supports automatic execution of this method at a regular interval
* by using {@link SessionValidationScheduler}s. The Shiro default SecurityManager implementations
* needing session validation will create and use one by default if one is not provided by the
* application configuration.
*/
void validateSessions();
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy