/** * Prepares the {@code ServletResponse} instance that will be passed to the {@code FilterChain} for request * processing. * <p/> * This implementation delegates to {@link #wrapServletRequest(javax.servlet.http.HttpServletRequest)} * only if Shiro-based sessions are enabled (that is, !{@link #isHttpSessions()}) and the request instance is a * {@link ShiroHttpServletRequest}. This ensures that any URL rewriting that occurs is handled correctly using the * Shiro-managed Session's sessionId and not a servlet container session ID. * <p/> * If HTTP-based sessions are enabled (the default), then this method does nothing and just returns the * {@code ServletResponse} argument as-is, relying on the default Servlet Container URL rewriting logic. * * @param request the incoming ServletRequest * @param response the outgoing ServletResponse * @param chain the Servlet Container provided {@code FilterChain} that will receive the returned request. * @return the {@code ServletResponse} instance that will be passed to the {@code FilterChain} during request processing. * @since 1.0 */ @SuppressWarnings({"UnusedDeclaration"}) protected ServletResponse prepareServletResponse(ServletRequest request, ServletResponse response, FilterChain chain) { ServletResponse toUse = response; if (!isHttpSessions() && (request instanceof ShiroHttpServletRequest) && (response instanceof HttpServletResponse)) { //the ShiroHttpServletResponse exists to support URL rewriting for session ids. This is only needed if //using Shiro sessions (i.e. not simple HttpSession based sessions): toUse = wrapServletResponse((HttpServletResponse) response, (ShiroHttpServletRequest) request); } return toUse; }
/** * Wraps the original HttpServletRequest in a {@link ShiroHttpServletRequest}, which is required for supporting * Servlet Specification behavior backed by a {@link org.apache.shiro.subject.Subject Subject} instance. * * @param orig the original Servlet Container-provided incoming {@code HttpServletRequest} instance. * @return {@link ShiroHttpServletRequest ShiroHttpServletRequest} instance wrapping the original. * @since 1.0 */ protected ServletRequest wrapServletRequest(HttpServletRequest orig) { return new ShiroHttpServletRequest(orig, getServletContext(), isHttpSessions()); }
/** * Updates any 'native' Session's last access time that might exist to the timestamp when this method is called. * If native sessions are not enabled (that is, standard Servlet container sessions are being used) or there is no * session ({@code subject.getSession(false) == null}), this method does nothing. * <p/>This method implementation merely calls * <code>Session.{@link org.apache.shiro.session.Session#touch() touch}()</code> on the session. * * @param request incoming request - ignored, but available to subclasses that might wish to override this method * @param response outgoing response - ignored, but available to subclasses that might wish to override this method * @since 1.0 */ @SuppressWarnings({"UnusedDeclaration"}) protected void updateSessionLastAccessTime(ServletRequest request, ServletResponse response) { if (!isHttpSessions()) { //'native' sessions Subject subject = SecurityUtils.getSubject(); //Subject should never _ever_ be null, but just in case: if (subject != null) { Session session = subject.getSession(false); if (session != null) { try { session.touch(); } catch (Throwable t) { log.error("session.touch() method invocation has failed. Unable to update" + "the corresponding session's last access time based on the incoming request.", t); } } } } }