Returns a {@code Runnable} instance matching the given argument while additionally ensuring that it will retain and execute under this Subject's identity. The returned object can be used with an {@link java.util.concurrent.Executor Executor} or another thread to execute as this Subject. <p/> This will effectively ensure that any calls to {@code SecurityUtils}.{@link SecurityUtils#getSubject() getSubject()} and related functionality will continue to function properly on any thread that executes the returned {@code Runnable} instance. <p/> *Note that if you need a return value to be returned as a result of the runnable's execution or if you need to react to any Exceptions, it is highly recommended to use the {@link #associateWith(java.util.concurrent.Callable) createCallable} method instead of this one.
Ensures this Subject implies the specified permission string. <p/> If this subject's existing associated permissions do not {@link Permission#implies(Permission)} imply} the given permission, an {@link hunt.shiro.authz.AuthorizationException} will be thrown. <p/> This is an overloaded method for the corresponding type-safe {@link Permission Permission} variant. Please see the class-level JavaDoc for more information on these string-based permission methods.
Ensures this Subject {@link Permission#implies(Permission) implies} the specified {@code Permission}. <p/> If this subject's existing associated permissions do not {@link Permission#implies(Permission) imply} the given permission, an {@link hunt.shiro.authz.AuthorizationException} will be thrown.
Ensures this Subject {@link hunt.shiro.authz.Permission#implies(hunt.shiro.authz.Permission) implies} all of the specified permission strings. <p/> If this subject's existing associated permissions do not {@link hunt.shiro.authz.Permission#implies(hunt.shiro.authz.Permission) imply} all of the given permissions, an {@link hunt.shiro.authz.AuthorizationException} will be thrown. <p/> This is an overloaded method for the corresponding type-safe {@link Permission Permission} variant. Please see the class-level JavaDoc for more information on these string-based permission methods.
Ensures this Subject {@link hunt.shiro.authz.Permission#implies(hunt.shiro.authz.Permission) implies} all of the specified permission strings. <p/> If this subject's existing associated permissions do not {@link hunt.shiro.authz.Permission#implies(hunt.shiro.authz.Permission) imply} all of the given permissions, an {@link hunt.shiro.authz.AuthorizationException} will be thrown.
Asserts this Subject has the specified role by returning quietly if they do or throwing an {@link hunt.shiro.authz.AuthorizationException} if they do not.
Asserts this Subject has all of the specified roles by returning quietly if they do or throwing an {@link hunt.shiro.authz.AuthorizationException} if they do not.
Same as {@link #checkRoles(Collection!(string) roleIdentifiers) checkRoles(Collection!(string) roleIdentifiers)} but doesn't require a collection as a an argument. Asserts this Subject has all of the specified roles by returning quietly if they do or throwing an {@link hunt.shiro.authz.AuthorizationException} if they do not.
Associates the specified {@code Runnable} with this {@code Subject} instance and then executes it on the currently running thread. If you want to execute the {@code Runnable} on a different thread, it is better to use the {@link #associateWith(Runnable)} method instead. <p/> <b>Note</b>: This method is primarily provided to execute existing/legacy Runnable implementations. It is better for new code to use {@link #execute(Callable)} since that supports the ability to return values and catch exceptions.
Returns the previous 'pre run as' identity of this {@code Subject} before assuming the current {@link #runAs runAs} identity, or {@code null} if this {@code Subject} is not operating under an assumed identity (normal state). See the {@link #runAs runAs} method for more information.
Returns this Subject's application-wide uniquely identifying principal, or {@code null} if this Subject is anonymous because it doesn't yet have any associated account data (for example, if they haven't logged in). <p/> The term <em>principal</em> is just a fancy security term for any identifying attribute(s) of an application user, such as a username, or user id, or public key, or anything else you might use in your application to identify a user. <h4>Uniqueness</h4> Although given names and family names (first/last) are technically considered principals as well, Shiro expects the object returned from this method to be an identifying attribute unique across your entire application. <p/> This implies that things like given names and family names are usually poor candidates as return values since they are rarely guaranteed to be unique; Things often used for this value: <ul> <li>A {@code long} RDBMS surrogate primary key</li> <li>An application-unique username</li> <li>A {@link java.util.UUID UUID}</li> <li>An LDAP Unique ID</li> </ul> or any other similar suitable unique mechanism valuable to your application. <p/> Most implementations will simply return <code>{@link #getPrincipals()}.{@link hunt.shiro.subject.PrincipalCollection#getPrimaryPrincipal() getPrimaryPrincipal()}</code>
Returns this Subject's principals (identifying attributes) in the form of a {@code PrincipalCollection} or {@code null} if this Subject is anonymous because it doesn't yet have any associated account data (for example, if they haven't logged in). <p/> The word "principals" is nothing more than a fancy security term for identifying attributes associated with a Subject, aka, application user. For example, user id, a surname (family/last name), given (first) name, social security number, nickname, username, etc, are all examples of a principal.
Returns the application {@code Session} associated with this Subject. If no session exists when this method is called, a new session will be created, associated with this Subject, and then returned.
Returns the application {@code Session} associated with this Subject. Based on the bool argument, this method functions as follows: <ul> <li>If there is already an existing session associated with this {@code Subject}, it is returned and the {@code create} argument is ignored.</li> <li>If no session exists and {@code create} is {@code true}, a new session will be created, associated with this {@code Subject} and then returned.</li> <li>If no session exists and {@code create} is {@code false}, {@code null} is returned.</li> </ul>
Returns {@code true} if this Subject has all of the specified roles, {@code false} otherwise.
Returns {@code true} if this Subject has the specified role, {@code false} otherwise.
Checks if this Subject has the specified roles, returning a bool array indicating which roles are associated. <p/> This is primarily a performance-enhancing method to help reduce the number of {@link #hasRole} invocations over the wire in client/server systems.
Returns {@code true} if this Subject/user proved their identity <em>during their current session</em> by providing valid credentials matching those known to the system, {@code false} otherwise. <p/> Note that even if this Subject's identity has been remembered via 'remember me' services, this method will still return {@code false} unless the user has actually logged in with proper credentials <em>during their current session</em>. See the {@link #isRemembered() isRemembered()} method JavaDoc for more.
Returns {@code true} if this Subject is permitted to perform an action or access a resource summarized by the specified permission string. <p/> This is an overloaded method for the corresponding type-safe {@link Permission Permission} variant. Please see the class-level JavaDoc for more information on these string-based permission methods.
Returns {@code true} if this Subject is permitted to perform an action or access a resource summarized by the specified permission. <p/> More specifically, this method determines if any {@code Permission}s associated with the subject {@link Permission#implies(Permission) imply} the specified permission.
Checks if this Subject implies the given permission strings and returns a bool array indicating which permissions are implied. <p/> This is an overloaded method for the corresponding type-safe {@link Permission Permission} variant. Please see the class-level JavaDoc for more information on these string-based permission methods.
Checks if this Subject implies the given Permissions and returns a bool array indicating which permissions are implied. <p/> More specifically, this method should determine if each {@code Permission} in the array is {@link Permission#implies(Permission) implied} by permissions already associated with the subject. <p/> This is primarily a performance-enhancing method to help reduce the number of {@link #isPermitted} invocations over the wire in client/server systems.
Returns {@code true} if this Subject implies all of the specified permission strings, {@code false} otherwise. <p/> This is an overloaded method for the corresponding type-safe {@link hunt.shiro.authz.Permission Permission} variant. Please see the class-level JavaDoc for more information on these string-based permission methods.
Returns {@code true} if this Subject implies all of the specified permissions, {@code false} otherwise. <p/> More specifically, this method determines if all of the given {@code Permission}s are {@link Permission#implies(Permission) implied by} permissions already associated with this Subject.
Returns {@code true} if this {@code Subject} has an identity (it is not anonymous) and the identity (aka {@link #getPrincipals() principals}) is remembered from a successful authentication during a previous session. <p/> Although the underlying implementation determines exactly how this method functions, most implementations have this method act as the logical equivalent to this code: <pre> {@link #getPrincipal() getPrincipal()} !is null && !{@link #isAuthenticated() isAuthenticated()}</pre> <p/> Note as indicated by the above code example, if a {@code Subject} is remembered, they are <em>NOT</em> considered authenticated. A check against {@link #isAuthenticated() isAuthenticated()} is a more strict check than that reflected by this method. For example, a check to see if a subject can access financial information should almost always depend on {@link #isAuthenticated() isAuthenticated()} to <em>guarantee</em> a verified identity, and not this method. <p/> Once the subject is authenticated, they are no longer considered only remembered because their identity would have been verified during the current session. <h4>Remembered vs Authenticated</h4> Authentication is the process of <em>proving</em> you are who you say you are. When a user is only remembered, the remembered identity gives the system an idea who that user probably is, but in reality, has no way of absolutely <em>guaranteeing</em> if the remembered {@code Subject} represents the user currently using the application. <p/> So although many parts of the application can still perform user-specific logic based on the remembered {@link #getPrincipals() principals}, such as customized views, it should never perform highly-sensitive operations until the user has legitimately verified their identity by executing a successful authentication attempt. <p/> We see this paradigm all over the web, and we will use <a href="http://www.amazon.com">Amazon.com</a> as an
Returns {@code true} if this {@code Subject} is 'running as' another identity other than its original one or {@code false} otherwise (normal {@code Subject} state). See the {@link #runAs runAs} method for more information.
Performs a login attempt for this Subject/user. If unsuccessful, an {@link AuthenticationException} is thrown, the subclass of which identifies why the attempt failed. If successful, the account data associated with the submitted principals/credentials will be associated with this {@code Subject} and the method will return quietly. <p/> Upon returning quietly, this {@code Subject} instance can be considered authenticated and {@link #getPrincipal() getPrincipal()} will be non-null and {@link #isAuthenticated() isAuthenticated()} will be {@code true}.
Logs out this Subject and invalidates and/or removes any associated entities, such as a {@link Session Session} and authorization data. After this method is called, the Subject is considered 'anonymous' and may continue to be used for another log-in if desired. <h3>Web Environment Warning</h3> Calling this method in web environments will usually remove any associated session cookie as part of session invalidation. Because cookies are part of the HTTP header, and headers can only be set before the response body (html, image, etc) is sent, this method in web environments must be called before <em>any</em> content has been rendered. <p/> The typical approach most applications use in this scenario is to redirect the user to a different location (e.g. home page) immediately after calling this method. This is an effect of the HTTP protocol itself and not a reflection of Shiro's implementation. <p/> Non-HTTP environments may of course use a logged-out subject for login again if desired.
Releases the current 'run as' (assumed) identity and reverts back to the previous 'pre run as' identity that existed before {@code #runAs runAs} was called. <p/> This method returns 'run as' (assumed) identity being released or {@code null} if this {@code Subject} is not operating under an assumed identity.
Allows this subject to 'run as' or 'assume' another identity indefinitely. This can only be called when the {@code Subject} instance already has an identity (i.e. they are remembered from a previous log-in or they have authenticated during their current session). <p/> Some notes about {@code runAs}: <ul> <li>You can tell if a {@code Subject} is 'running as' another identity by calling the {@link #isRunAs() isRunAs()} method.</li> <li>If running as another identity, you can determine what the previous 'pre run as' identity was by calling the {@link #getPreviousPrincipals() getPreviousPrincipals()} method.</li> <li>When you want a {@code Subject} to stop running as another identity, you can return to its previous 'pre run as' identity by calling the {@link #releaseRunAs() releaseRunAs()} method.</li> </ul>
A {@code Subject} represents state and security operations for a <em>single</em> application user. These operations include authentication (login/logout), authorization (access control), and session access. It is Shiro's primary mechanism for single-user security functionality. <h3>Acquiring a Subject</h3> To acquire the currently-executing {@code Subject}, application developers will almost always use {@code SecurityUtils}: <pre> {@link SecurityUtils SecurityUtils}.{@link hunt.shiro.SecurityUtils#getSubject() getSubject()}</pre> Almost all security operations should be performed with the {@code Subject} returned from this method. <h3>Permission methods</h3> Note that there are many *Permission methods in this interface overloaded to accept string arguments instead of {@link Permission Permission} instances. They are a convenience allowing the caller to use a string representation of a {@link Permission Permission} if desired. The underlying Authorization subsystem implementations will usually simply convert these string values to {@link Permission Permission} instances and then just call the corresponding type-safe method. (Shiro's default implementations do string-to-Permission conversion for these methods using {@link hunt.shiro.authz.permission.PermissionResolver PermissionResolver}s.) <p/> These overloaded *Permission methods forgo type-safety for the benefit of convenience and simplicity, so you should choose which ones to use based on your preferences and needs.