org.rhq.enterprise.server.auth
Class SessionManager

java.lang.Object
  org.rhq.enterprise.server.auth.SessionManager

public final class SessionManager
extends Object

This is the JON Server's own session ID generator. It is outside any container-provided session mechanism. Its sole purpose is to provide session IDs to logged in Subjects. It will timeout those sessions regardless of any container-provided session-timeout mechanism.

Because this is a very security-sensitive class, any public method requires the caller to have the AllowEjbAccessPermission as any other calls to the EJB layer. This is so that the malicious users can't trick the EJB layer into thinking that some users are logged in or log out other users.

Also, for security reasons, this class is final so that malicious code can't subclass it and modify its behavior.

This object is a singleton.

Method Summary

static SessionManager	getInstance() Return the singleton object.
long	getlastAccess(int sessionId)
org.rhq.core.domain.auth.Subject	getOverlord()
org.rhq.core.domain.auth.Subject	getSubject(int sessionId) Returns the Subject associated with the given session id.
void	invalidate(int sessionId) Invalidates the session associated with the given session ID.
void	invalidate(String username) Invalidates all sessions for the given username.
org.rhq.core.domain.auth.Subject	put(org.rhq.core.domain.auth.Subject subject) Associates a Subject with a new session id.
org.rhq.core.domain.auth.Subject	put(org.rhq.core.domain.auth.Subject subject, long timeout) Associates a Subject with a new session id with the given session timeout.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

getInstance

public static SessionManager getInstance()

Return the singleton object.

Returns:

the SessionManager

put

public org.rhq.core.domain.auth.Subject put(org.rhq.core.domain.auth.Subject subject)

Associates a Subject with a new session id. The new session will use the default timeout.

Parameters:

subject -

Returns:

the Subject associated with session. Note, this may be a copy of the Subject passed into the method. The sessionId will be assigned.

put

public org.rhq.core.domain.auth.Subject put(org.rhq.core.domain.auth.Subject subject,
                                            long timeout)

Associates a Subject with a new session id with the given session timeout.

Parameters:

subject -

timeout - the timeout for the session, in milliseconds

Returns:

the Subject associated with session. This will be a copy of the Subject passed into the method (unless that Subject is overlord). The sessionId will be assigned.

getSubject

public org.rhq.core.domain.auth.Subject getSubject(int sessionId)
                                            throws SessionNotFoundException,
                                                   SessionTimeoutException

Returns the Subject associated with the given session id.

Parameters:

sessionId - The session id

Returns:

the Subject associated with the session id

Throws:

SessionNotFoundException

SessionTimeoutException

invalidate

public void invalidate(int sessionId)

Invalidates the session associated with the given session ID.

Parameters:

sessionId - session id to invalidate

invalidate

public void invalidate(String username)

Invalidates all sessions for the given username. This is for testing purposes ONLY.

Parameters:

username - username for the sessions to be invalidated

getlastAccess

public long getlastAccess(int sessionId)

getOverlord

public org.rhq.core.domain.auth.Subject getOverlord()