tessl/maven-org-apache-shiro--shiro-web
Web support module for Apache Shiro providing servlet filters, session management, and web-specific authentication and authorization features
—
Pending
web-security-management.mddocs/
Web Security Management
Web-specific security manager implementations, remember-me functionality, subject factories, and session storage evaluation for Apache Shiro servlet environments. These components extend Shiro's core security management with web-aware capabilities and cookie-based features.
Capabilities
Web Security Manager
Web-enabled security manager interface and implementation providing HTTP session integration and web-specific security operations.
interface WebSecurityManager extends SecurityManager {
/**
* Returns whether this security manager uses HTTP sessions for session management.
*
* @return true if using HTTP sessions
*/
boolean isHttpSessionMode();
}class DefaultWebSecurityManager extends DefaultSecurityManager implements WebSecurityManager {
/**
* Creates a new DefaultWebSecurityManager with no realms.
*/
public DefaultWebSecurityManager();
/**
* Creates a new DefaultWebSecurityManager with a single realm.
*
* @param singleRealm the realm to use
*/
public DefaultWebSecurityManager(Realm singleRealm);
/**
* Creates a new DefaultWebSecurityManager with multiple realms.
*
* @param realms the collection of realms to use
*/
public DefaultWebSecurityManager(Collection<Realm> realms);
/**
* Returns whether HTTP session mode is enabled.
*
* @return true if using HTTP sessions
*/
public boolean isHttpSessionMode();
/**
* Creates a Subject instance with web-specific context.
*
* @param context the subject context
* @return the created Subject
*/
protected Subject doCreateSubject(SubjectContext context);
/**
* Returns the remember me manager for this security manager.
*
* @return the RememberMeManager instance
*/
public RememberMeManager getRememberMeManager();
/**
* Sets the remember me manager for this security manager.
*
* @param rememberMeManager the RememberMeManager to set
*/
public void setRememberMeManager(RememberMeManager rememberMeManager);
}Cookie Remember Me Manager
Cookie-based "remember me" functionality providing persistent authentication across browser sessions.
class CookieRememberMeManager extends AbstractRememberMeManager {
/** Default remember me cookie name */
public static final String DEFAULT_REMEMBER_ME_COOKIE_NAME = "rememberMe";
/**
* Creates a new CookieRememberMeManager with default settings.
*/
public CookieRememberMeManager();
/**
* Returns the cookie used for remember me functionality.
*
* @return the Cookie instance
*/
public Cookie getCookie();
/**
* Sets the cookie to use for remember me functionality.
*
* @param cookie the Cookie to set
*/
public void setCookie(Cookie cookie);
/**
* Returns the cipher key used for encrypting remember me data.
*
* @return the cipher key as a string
*/
public String getCipherKey();
/**
* Sets the cipher key for encrypting remember me data.
*
* @param cipherKey the cipher key string
*/
public void setCipherKey(String cipherKey);
/**
* Remembers the subject's identity by storing encrypted data in a cookie.
*
* @param subject the subject to remember
* @param token the authentication token
* @param account the authenticated account
*/
public void rememberIdentity(Subject subject, AuthenticationToken token, AuthenticationInfo account);
/**
* Recalls the remembered identity from the cookie.
*
* @param subjectContext the subject context
* @return the recalled principals or null if not remembered
*/
public PrincipalCollection getRememberedPrincipals(SubjectContext subjectContext);
/**
* Forgets the remembered identity by removing the cookie.
*
* @param subjectContext the subject context
*/
public void forgetIdentity(SubjectContext subjectContext);
}Web Subject Factory
Factory for creating web-aware Subject instances that provide access to servlet request and response objects.
class DefaultWebSubjectFactory extends DefaultSubjectFactory {
/**
* Creates a new DefaultWebSubjectFactory.
*/
public DefaultWebSubjectFactory();
/**
* Creates a Subject instance, returning WebSubject if context contains web components.
*
* @param context the subject context
* @return the created Subject (WebSubject if web context)
*/
public Subject createSubject(SubjectContext context);
/**
* Determines if the context is a web context.
*
* @param context the subject context
* @return true if context contains web components
*/
protected boolean isWebSubject(SubjectContext context);
/**
* Creates a WebSubject instance.
*
* @param context the web subject context
* @return the created WebSubject
*/
protected WebSubject createWebSubject(SubjectContext context);
}Session Storage Evaluator
Evaluator that determines when session storage is required for web requests, optimizing performance for stateless operations.
class DefaultWebSessionStorageEvaluator extends DefaultSessionStorageEvaluator {
/**
* Creates a new DefaultWebSessionStorageEvaluator.
*/
public DefaultWebSessionStorageEvaluator();
/**
* Determines if session storage is enabled for the given context.
*
* @param context the subject context
* @return true if session storage should be used
*/
public boolean isSessionStorageEnabled(SubjectContext context);
/**
* Determines if the context represents a web subject.
*
* @param subjectContext the subject context
* @return true if context is web-based
*/
private boolean isWebSubject(SubjectContext subjectContext);
}Usage Examples
Basic Web Security Manager Setup
public WebSecurityManager createWebSecurityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
// Configure realm
MyCustomRealm realm = new MyCustomRealm();
securityManager.setRealm(realm);
// Configure session manager
DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();
sessionManager.setSessionIdUrlRewritingEnabled(false);
securityManager.setSessionManager(sessionManager);
// Configure remember me
CookieRememberMeManager rememberMeManager = new CookieRememberMeManager();
rememberMeManager.setCipherKey("your-secret-key-here");
securityManager.setRememberMeManager(rememberMeManager);
return securityManager;
}Cookie Remember Me Configuration
public void configureCookieRememberMe() {
CookieRememberMeManager rememberMeManager = new CookieRememberMeManager();
// Configure cookie settings
SimpleCookie rememberMeCookie = new SimpleCookie("customRememberMe");
rememberMeCookie.setHttpOnly(true);
rememberMeCookie.setSecure(true);
rememberMeCookie.setMaxAge(30 * 24 * 60 * 60); // 30 days
rememberMeCookie.setDomain(".example.com");
rememberMeCookie.setPath("/");
rememberMeManager.setCookie(rememberMeCookie);
rememberMeManager.setCipherKey(generateSecretKey());
// Set in security manager
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRememberMeManager(rememberMeManager);
}
private String generateSecretKey() {
// Generate a secure random key for production
return "your-256-bit-secret-key-here";
}Install with Tessl CLI
npx tessl i tessl/maven-org-apache-shiro--shiro-web