Shiro in spring Session management

Session Management
In the Shiro can find all the user's session information will be controlled by the Shiro, so that is, as long as the user is related to all the processing information operations can be obtained through Shiro, actually can obtain the information can have user name, host name and so on, All of this information can be obtained through the subject interface.

system. Out.println ( "SESSION ID =" + Securityutils.getsubject (). GetSession (). GetId ()); System. out.println ( "user name:" + securityutils.getsubject (). Getprincipal ()); System. out.println ( "HOST:" + securityutils.getsubject (). getSession (). GetHost ()); System. out.println ( "TIMEOUT:" + securityutils.getsubject (). GetSession (). GetTimeout ()); System. out.println ( "START:" + securityutils.getsubject (). GetSession (). Getstarttimestamp ()); System. out.println ( "last:" + securityutils.getsubject (). getSession (). GetLastAccessTime ());              

Where the "GetLastAccessTime ()" method represents the user's last operation time, and now these basic information is indeed achieved, but these are the default configuration in the Shiro, and user 1, if necessary, you can also use the manual configuration mode to complete.

<Dependency><Groupid>org.apache.shiro</groupid> <artifactId> Shiro-quartz</artifactid> </< Span class= "Hljs-title" >dependency><dependency> <groupid>commons-collections</groupid> <artifactid> Commons-collections</artifactid>  <version>3.2.2</version> Span class= "Hljs-tag" ></DEPENDENCY>        

If you want to perform session management, be sure to free up space regularly, so this time must be timed components to complete.
2. You can configure a session ID generator that belongs to you:

<!-- 定义Session ID生成管理器 --> <bean id="sessionIdGenerator" class="org.apache.shiro.session.mgt.eis.JavaUuidSessionIdGenerator" />

3, then need to define a session of the DAO processing, refers to the cache location of your session, this time to temporarily save all the session data in memory.
· Session Save Processing: Org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO

<!--Configure session DAO operation Processing--<Beanid= "Sessiondao" class= "Org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO" >  <!--set the name of the session cache, which can be any--<property name=" activesessionscachename "value=< Span class= "Hljs-value" > "Shiro-activesessioncache"/> <!--define the session ID generator used in DAO operations--<property  Name= "sessionidgenerator" ref= " Sessionidgenerator "/> </BEAN>     

4. Now just defines the components required for caching, but does not define the connection between the session and the client, in order to have an effective session management, we also need to establish a cookie operation template.
· Handling Cookie:org.apache.shiro.web.servlet.SimpleCookie

<!--configuration templates that need to store data in a cookie--<BeanId="Sessionidcookie"class="Org.apache.shiro.web.servlet.SimpleCookie" ><!--the name of the cookie that is used by default under Tomcat is Jsessionid--<constructor-arg value= Mldn-session-id "/> <!--ensure that the system is not subject to cross-domain script operations--< property name= "httpOnly" value= "true"/> <!-- Defines the expiration time of the cookie, in seconds, and if set to 1 indicates that the browser is off, the cookie disappears--<property Span class= "Hljs-attribute" >name= "MaxAge" value= "-1"/> </BEAN>     

5. Define the Session Manager (SessionManager)
· Operation class: Org.apache.shiro.web.session.mgt.DefaultWebSessionManager;

<!--define the session Manager--<BeanId="SessionManager"class="Org.apache.shiro.web.session.mgt.DefaultWebSessionManager" ><!--defines the global session timeout period, which overrides the time-out configuration in the Web. xml File-<PropertyName="Globalsessiontimeout"Value="1000000"/><!--Delete all invalid session objects, the session is saved in memory--<PropertyName="Deleteinvalidsessions"Value="True"/><!--define the invalid session timer scheduler to use--<PropertyName="Sessionvalidationscheduler"ref="Sessionvalidationscheduler"/><!--need to allow this session to be detected with this timer scheduler--<PropertyName="Sessionvalidationschedulerenabled"Value="True"/><!--define the tool class that can be serialized by the session--<property name= "SessionDAO" ref= "Sessiondao"/> <!-- All sessions must be set to the ID in the cookie, need to provide a cookie action template--<property name= "Sessionidcookie" ref=< Span class= "Hljs-value" > "Sessionidcookie"/> <!--definition Sessionidcookie template can be enabled for operation-- > <property name=" sessionidcookieenabled "value=" true "/> Span class= "Hljs-tag" ></bean>        

6, all the session must be in the user's right to leave after the release of resources, but if the user does not log off, not to be able to empty the session, so in order to prevent such a problem, you also need to add a session of the verification scheduler.
· Scheduler Program class: Org.apache.shiro.session.mgt.quartz.QuartzSessionValidationScheduler

<!--Configure the session's timer validation detection class so that the invalid session is released--<Beanid= "Sessionvalidationscheduler" class= " Org.apache.shiro.session.mgt.quartz.QuartzSessionValidationScheduler "> <!-- Set session expiration scan interval in milliseconds---<property name= "Sessionvalidationinterval" value= "100000"/> <!-- You will then need to define a reference to a program class with a session Manager--<property name= "SessionManager" ref=< Span class= "Hljs-value" > "SessionManager"/> </bean>  

7, then need to modify the security Manager:

<!--configuring SecurityManager management--<BeanId="SecurityManager"class="Org.apache.shiro.web.mgt.DefaultWebSecurityManager" ><!--Configure what you need to use realms-- < property name="Realm" ref="Memberrealm"/> < Property name="CacheManager" ref="CacheManager"/> <!--define the session manager to use-- <property name= "sessionmanager" ref="SessionManager"/> </Bean >                   

At this point, the current web development of all the sessions of the processing operations are referred to Shiro for operational control.
8. Additional methods:
· Update session: Securityutils.getsubject (). GetSession (). Touch ();
Stop session: Securityutils.getsubject (). GetSession (). Stop ();
|-equivalent to the implementation of the Session.invalidate () method in web development;
|-logoff: securityutils.getsubject (). Logout ().

Shiro has its own implementation mechanism for session management, which if it overlaps with the operation of the web, then the Shiro configuration will work.

Shiro in spring Session management