Latest commit has the following changes:
- The DefaultSessionStorageEvaluator has been changed to allow usage of the Session by default if one already exists. If one does not exist, only then is the isSessionStorageEnabled() class-level property consulted. It didn't make sense to not use the session if the application developer has already created one (by calling subject.getSession() somewhere in their own code).
- New web-specific objects have been introduced to enable most web applications to receive enabling/disabling benefits simply by request-specific configuration. For example, a new 'NoSessionCreationFilter' has been introduced (in the pool of Default Filters as 'noSession'). This can be used in Shiro's filter chains, for example, in shiro.ini:
/rest/** = noSession, authcBasic
The 'noSession' filter triggers logic that will prevent both Shiro and application developers from calling subject.getSession() and subject.getSession(true) for request patterns that should be stateless (no sessions).
A new DefaultWebSessionStorageEvaluator has been introduced that retains the DefaultSessionStorageEvaluator parent class logic, but will additionally look for a request attribute (set by the 'noSession' filter) to trigger this request-specific subject enable/disable logic. The DefaultWebSecurityManager enables this DefaultWebSessionStorageEvaluator by default.
Finally, more unit tests have been added. DefaultWebSessionStorageEvaluator has 100% method/line coverage.