View Javadoc

1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied.  See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.shiro.web.filter.authc;
20  
21  import javax.servlet.ServletRequest;
22  import javax.servlet.ServletResponse;
23  
24  import org.apache.shiro.subject.Subject;
25  import org.apache.shiro.web.filter.AccessControlFilter;
26  
27  /**
28   * Filter that allows access to resources if the accessor is a known user, which is defined as
29   * having a known principal.  This means that any user who is authenticated or remembered via a
30   * 'remember me' feature will be allowed access from this filter.
31   * <p/>
32   * If the accessor is not a known user, then they will be redirected to the {@link #setLoginUrl(String) loginUrl}</p>
33   *
34   * @since 0.9
35   */
36  public class UserFilter extends AccessControlFilter {
37  
38      /**
39       * Returns <code>true</code> if the request is a
40       * {@link #isLoginRequest(javax.servlet.ServletRequest, javax.servlet.ServletResponse) loginRequest} or
41       * if the current {@link #getSubject(javax.servlet.ServletRequest, javax.servlet.ServletResponse) subject}
42       * is not <code>null</code>, <code>false</code> otherwise.
43       *
44       * @return <code>true</code> if the request is a
45       * {@link #isLoginRequest(javax.servlet.ServletRequest, javax.servlet.ServletResponse) loginRequest} or
46       * if the current {@link #getSubject(javax.servlet.ServletRequest, javax.servlet.ServletResponse) subject}
47       * is not <code>null</code>, <code>false</code> otherwise.
48       */
49      protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
50          if (isLoginRequest(request, response)) {
51              return true;
52          } else {
53              Subject subject = getSubject(request, response);
54              // If principal is not null, then the user is known and should be allowed access.
55              return subject.getPrincipal() != null;
56          }
57      }
58  
59      /**
60       * This default implementation simply calls
61       * {@link #saveRequestAndRedirectToLogin(javax.servlet.ServletRequest, javax.servlet.ServletResponse) saveRequestAndRedirectToLogin}
62       * and then immediately returns <code>false</code>, thereby preventing the chain from continuing so the redirect may
63       * execute.
64       */
65      protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
66          saveRequestAndRedirectToLogin(request, response);
67          return false;
68      }
69  }