0
# Web Security Management
1
2
Web-specific security manager implementations, remember-me functionality, subject factories, and session storage evaluation for Apache Shiro servlet environments. These components extend Shiro's core security management with web-aware capabilities and cookie-based features.
3
4
## Capabilities
5
6
### Web Security Manager
7
8
Web-enabled security manager interface and implementation providing HTTP session integration and web-specific security operations.
9
10
```java { .api }
11
interface WebSecurityManager extends SecurityManager {
12
/**
13
* Returns whether this security manager uses HTTP sessions for session management.
14
*
15
* @return true if using HTTP sessions
16
*/
17
boolean isHttpSessionMode();
18
}
19
```
20
21
```java { .api }
22
class DefaultWebSecurityManager extends DefaultSecurityManager implements WebSecurityManager {
23
/**
24
* Creates a new DefaultWebSecurityManager with no realms.
25
*/
26
public DefaultWebSecurityManager();
27
28
/**
29
* Creates a new DefaultWebSecurityManager with a single realm.
30
*
31
* @param singleRealm the realm to use
32
*/
33
public DefaultWebSecurityManager(Realm singleRealm);
34
35
/**
36
* Creates a new DefaultWebSecurityManager with multiple realms.
37
*
38
* @param realms the collection of realms to use
39
*/
40
public DefaultWebSecurityManager(Collection<Realm> realms);
41
42
/**
43
* Returns whether HTTP session mode is enabled.
44
*
45
* @return true if using HTTP sessions
46
*/
47
public boolean isHttpSessionMode();
48
49
/**
50
* Creates a Subject instance with web-specific context.
51
*
52
* @param context the subject context
53
* @return the created Subject
54
*/
55
protected Subject doCreateSubject(SubjectContext context);
56
57
/**
58
* Returns the remember me manager for this security manager.
59
*
60
* @return the RememberMeManager instance
61
*/
62
public RememberMeManager getRememberMeManager();
63
64
/**
65
* Sets the remember me manager for this security manager.
66
*
67
* @param rememberMeManager the RememberMeManager to set
68
*/
69
public void setRememberMeManager(RememberMeManager rememberMeManager);
70
}
71
```
72
73
### Cookie Remember Me Manager
74
75
Cookie-based "remember me" functionality providing persistent authentication across browser sessions.
76
77
```java { .api }
78
class CookieRememberMeManager extends AbstractRememberMeManager {
79
/** Default remember me cookie name */
80
public static final String DEFAULT_REMEMBER_ME_COOKIE_NAME = "rememberMe";
81
82
/**
83
* Creates a new CookieRememberMeManager with default settings.
84
*/
85
public CookieRememberMeManager();
86
87
/**
88
* Returns the cookie used for remember me functionality.
89
*
90
* @return the Cookie instance
91
*/
92
public Cookie getCookie();
93
94
/**
95
* Sets the cookie to use for remember me functionality.
96
*
97
* @param cookie the Cookie to set
98
*/
99
public void setCookie(Cookie cookie);
100
101
/**
102
* Returns the cipher key used for encrypting remember me data.
103
*
104
* @return the cipher key as a string
105
*/
106
public String getCipherKey();
107
108
/**
109
* Sets the cipher key for encrypting remember me data.
110
*
111
* @param cipherKey the cipher key string
112
*/
113
public void setCipherKey(String cipherKey);
114
115
/**
116
* Remembers the subject's identity by storing encrypted data in a cookie.
117
*
118
* @param subject the subject to remember
119
* @param token the authentication token
120
* @param account the authenticated account
121
*/
122
public void rememberIdentity(Subject subject, AuthenticationToken token, AuthenticationInfo account);
123
124
/**
125
* Recalls the remembered identity from the cookie.
126
*
127
* @param subjectContext the subject context
128
* @return the recalled principals or null if not remembered
129
*/
130
public PrincipalCollection getRememberedPrincipals(SubjectContext subjectContext);
131
132
/**
133
* Forgets the remembered identity by removing the cookie.
134
*
135
* @param subjectContext the subject context
136
*/
137
public void forgetIdentity(SubjectContext subjectContext);
138
}
139
```
140
141
### Web Subject Factory
142
143
Factory for creating web-aware Subject instances that provide access to servlet request and response objects.
144
145
```java { .api }
146
class DefaultWebSubjectFactory extends DefaultSubjectFactory {
147
/**
148
* Creates a new DefaultWebSubjectFactory.
149
*/
150
public DefaultWebSubjectFactory();
151
152
/**
153
* Creates a Subject instance, returning WebSubject if context contains web components.
154
*
155
* @param context the subject context
156
* @return the created Subject (WebSubject if web context)
157
*/
158
public Subject createSubject(SubjectContext context);
159
160
/**
161
* Determines if the context is a web context.
162
*
163
* @param context the subject context
164
* @return true if context contains web components
165
*/
166
protected boolean isWebSubject(SubjectContext context);
167
168
/**
169
* Creates a WebSubject instance.
170
*
171
* @param context the web subject context
172
* @return the created WebSubject
173
*/
174
protected WebSubject createWebSubject(SubjectContext context);
175
}
176
```
177
178
### Session Storage Evaluator
179
180
Evaluator that determines when session storage is required for web requests, optimizing performance for stateless operations.
181
182
```java { .api }
183
class DefaultWebSessionStorageEvaluator extends DefaultSessionStorageEvaluator {
184
/**
185
* Creates a new DefaultWebSessionStorageEvaluator.
186
*/
187
public DefaultWebSessionStorageEvaluator();
188
189
/**
190
* Determines if session storage is enabled for the given context.
191
*
192
* @param context the subject context
193
* @return true if session storage should be used
194
*/
195
public boolean isSessionStorageEnabled(SubjectContext context);
196
197
/**
198
* Determines if the context represents a web subject.
199
*
200
* @param subjectContext the subject context
201
* @return true if context is web-based
202
*/
203
private boolean isWebSubject(SubjectContext subjectContext);
204
}
205
```
206
207
## Usage Examples
208
209
### Basic Web Security Manager Setup
210
211
```java
212
public WebSecurityManager createWebSecurityManager() {
213
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
214
215
// Configure realm
216
MyCustomRealm realm = new MyCustomRealm();
217
securityManager.setRealm(realm);
218
219
// Configure session manager
220
DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();
221
sessionManager.setSessionIdUrlRewritingEnabled(false);
222
securityManager.setSessionManager(sessionManager);
223
224
// Configure remember me
225
CookieRememberMeManager rememberMeManager = new CookieRememberMeManager();
226
rememberMeManager.setCipherKey("your-secret-key-here");
227
securityManager.setRememberMeManager(rememberMeManager);
228
229
return securityManager;
230
}
231
```
232
233
### Cookie Remember Me Configuration
234
235
```java
236
public void configureCookieRememberMe() {
237
CookieRememberMeManager rememberMeManager = new CookieRememberMeManager();
238
239
// Configure cookie settings
240
SimpleCookie rememberMeCookie = new SimpleCookie("customRememberMe");
241
rememberMeCookie.setHttpOnly(true);
242
rememberMeCookie.setSecure(true);
243
rememberMeCookie.setMaxAge(30 * 24 * 60 * 60); // 30 days
244
rememberMeCookie.setDomain(".example.com");
245
rememberMeCookie.setPath("/");
246
247
rememberMeManager.setCookie(rememberMeCookie);
248
rememberMeManager.setCipherKey(generateSecretKey());
249
250
// Set in security manager
251
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
252
securityManager.setRememberMeManager(rememberMeManager);
253
}
254
255
private String generateSecretKey() {
256
// Generate a secure random key for production
257
return "your-256-bit-secret-key-here";
258
}
259
```