tessl/maven-org-apache-shiro--shiro-web
Web support module for Apache Shiro providing servlet filters, session management, and web-specific authentication and authorization features
—
Pending
session-management.mddocs/
Session Management
Web session management components for Apache Shiro including servlet container session delegation, native Shiro session management, cookie-based session IDs, and session context management. These classes provide flexible session management strategies for web applications.
Capabilities
Web Session Manager Interface
interface WebSessionManager extends SessionManager {
/**
* Returns whether this session manager uses servlet container sessions.
*
* @return true if using servlet container sessions
*/
boolean isServletContainerSessions();
}Default Web Session Manager
class DefaultWebSessionManager extends DefaultSessionManager implements WebSessionManager {
public DefaultWebSessionManager();
public boolean isServletContainerSessions();
public Cookie getSessionIdCookie();
public void setSessionIdCookie(Cookie cookie);
public boolean isSessionIdUrlRewritingEnabled();
public void setSessionIdUrlRewritingEnabled(boolean enabled);
protected Serializable getSessionId(ServletRequest request, ServletResponse response);
protected void storeSessionId(Serializable currentId, ServletRequest request, ServletResponse response);
}Servlet Container Session Manager
class ServletContainerSessionManager implements WebSessionManager {
public ServletContainerSessionManager();
public boolean isServletContainerSessions();
public Session start(SessionContext context);
public Session getSession(SessionKey key) throws SessionException;
public Collection<Session> getActiveSessions();
}Session Creation Control Filter
Filter for controlling session creation behavior in web applications, particularly useful for REST/API endpoints that should not create sessions.
class NoSessionCreationFilter extends PathMatchingFilter {
/**
* Creates a new NoSessionCreationFilter that prevents session creation.
*/
public NoSessionCreationFilter();
/**
* Disables session creation for the current request by setting the
* SESSION_CREATION_ENABLED attribute to false.
*
* @param request the servlet request
* @param response the servlet response
* @param mappedValue the path-specific configuration
* @return true to continue filter chain processing
*/
protected boolean onPreHandle(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception;
}Usage Examples
Session Manager Configuration
public void configureSessionManagement() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
// Native Shiro session management
DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();
sessionManager.setGlobalSessionTimeout(30 * 60 * 1000); // 30 minutes
sessionManager.setSessionIdUrlRewritingEnabled(false);
// Configure session ID cookie
SimpleCookie sessionCookie = new SimpleCookie("JSESSIONID");
sessionCookie.setHttpOnly(true);
sessionCookie.setSecure(true);
sessionManager.setSessionIdCookie(sessionCookie);
securityManager.setSessionManager(sessionManager);
}Session-less API Configuration
public void configureSessionlessAPIs() {
DefaultFilterChainManager filterChainManager = new DefaultFilterChainManager();
// API endpoints should not create sessions
filterChainManager.createChain("/api/**", "noSessionCreation, authcBasic");
filterChainManager.createChain("/rest/**", "noSessionCreation, authcBearer");
// Regular web paths can create sessions
filterChainManager.createChain("/web/**", "authc");
filterChainManager.createChain("/**", "anon");
PathMatchingFilterChainResolver resolver = new PathMatchingFilterChainResolver();
resolver.setFilterChainManager(filterChainManager);
}Install with Tessl CLI
npx tessl i tessl/maven-org-apache-shiro--shiro-web