There must be some storage for the session. For example, every web request comes with a session cookie, which must be looked up somewhere and mapped into user's permissions, roles, other data etc. You don't want to look it up in the DB every time, do you? This data last as long as the user's web session (for example) lasts. This "space" is what SessionDAO manages. It could be an in-memory HashMap, distributed cache for failover / clustering / load balancing, etc. SessionDAO is a facade for that. It has many implementations, i.e. in-memory, or some other disk-optional object store, so if sessions outgrow memory, the program wouldn't crash or the users won't be logged off for no reason.
Hope this clears things up for you. On Sep 24, 2015, at 3:26 AM, gembin wrote: > > yes, i know how to customize a realm, but question is about SubjectDAO... > > So, SubjectDAO is trying to save a "transient" object, this doesn't make > sense to me... > > I'm trying to learn shiro by reading the source code, and not quite > understand this part. > > from the source code the default impl saves principals and authentication > state in session, > so, from implementor point of view, it's not so clear which information to > be persisted for a subject. > > However the key point is: no way to restore a persisted subject. > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/What-s-the-purpose-of-SubjectDAO-tp7580784p7580789.html > Sent from the Shiro User mailing list archive at Nabble.com. >
