org.apache.shiro.web.filter.authz
Class AuthorizationFilter

java.lang.Object
  extended by org.apache.shiro.web.servlet.ServletContextSupport
      extended by org.apache.shiro.web.servlet.AbstractFilter
          extended by org.apache.shiro.web.servlet.NameableFilter
              extended by org.apache.shiro.web.servlet.OncePerRequestFilter
                  extended by org.apache.shiro.web.servlet.AdviceFilter
                      extended by org.apache.shiro.web.filter.PathMatchingFilter
                          extended by org.apache.shiro.web.filter.AccessControlFilter
                              extended by org.apache.shiro.web.filter.authz.AuthorizationFilter
All Implemented Interfaces:
Filter, Nameable, PathConfigProcessor
Direct Known Subclasses:
HostFilter, PermissionsAuthorizationFilter, PortFilter, RolesAuthorizationFilter

public abstract class AuthorizationFilter
extends AccessControlFilter

Superclass for authorization-related filters. If an request is unauthorized, response handling is delegated to the onAccessDenied method, which provides reasonable handling for most applications.

Since:
0.9
See Also:
onAccessDenied(javax.servlet.ServletRequest, javax.servlet.ServletResponse)

Field Summary
 
Fields inherited from class org.apache.shiro.web.filter.AccessControlFilter
DEFAULT_LOGIN_URL, GET_METHOD, POST_METHOD
 
Fields inherited from class org.apache.shiro.web.filter.PathMatchingFilter
appliedPaths, pathMatcher
 
Fields inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
ALREADY_FILTERED_SUFFIX
 
Fields inherited from class org.apache.shiro.web.servlet.AbstractFilter
filterConfig
 
Constructor Summary
AuthorizationFilter()
           
 
Method Summary
 String getUnauthorizedUrl()
          Returns the URL to which users should be redirected if they are denied access to an underlying path or resource, or null if a raw HttpServletResponse.SC_UNAUTHORIZED response should be issued (401 Unauthorized).
protected  boolean onAccessDenied(ServletRequest request, ServletResponse response)
          Handles the response when access has been denied.
 void setUnauthorizedUrl(String unauthorizedUrl)
          Sets the URL to which users should be redirected if they are denied access to an underlying path or resource.
 
Methods inherited from class org.apache.shiro.web.filter.AccessControlFilter
getLoginUrl, getSubject, isAccessAllowed, isLoginRequest, onAccessDenied, onPreHandle, redirectToLogin, saveRequest, saveRequestAndRedirectToLogin, setLoginUrl
 
Methods inherited from class org.apache.shiro.web.filter.PathMatchingFilter
getPathWithinApplication, isEnabled, pathsMatch, pathsMatch, preHandle, processPathConfig
 
Methods inherited from class org.apache.shiro.web.servlet.AdviceFilter
afterCompletion, cleanup, doFilterInternal, executeChain, postHandle
 
Methods inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
doFilter, getAlreadyFilteredAttributeName, isEnabled, isEnabled, setEnabled, shouldNotFilter
 
Methods inherited from class org.apache.shiro.web.servlet.NameableFilter
getName, setName, toStringBuilder
 
Methods inherited from class org.apache.shiro.web.servlet.AbstractFilter
destroy, getFilterConfig, getInitParam, init, onFilterConfigSet, setFilterConfig
 
Methods inherited from class org.apache.shiro.web.servlet.ServletContextSupport
getContextAttribute, getContextInitParam, getServletContext, removeContextAttribute, setContextAttribute, setServletContext, toString
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
 

Constructor Detail

AuthorizationFilter

public AuthorizationFilter()
Method Detail

getUnauthorizedUrl

public String getUnauthorizedUrl()
Returns the URL to which users should be redirected if they are denied access to an underlying path or resource, or null if a raw HttpServletResponse.SC_UNAUTHORIZED response should be issued (401 Unauthorized).

The default is null, ensuring default web server behavior. Override this default by calling the setUnauthorizedUrl method with a meaningful path within your application if you would like to show the user a 'nice' page in the event of unauthorized access.

Returns:
the URL to which users should be redirected if they are denied access to an underlying path or resource, or null if a raw HttpServletResponse.SC_UNAUTHORIZED response should be issued (401 Unauthorized).

setUnauthorizedUrl

public void setUnauthorizedUrl(String unauthorizedUrl)
Sets the URL to which users should be redirected if they are denied access to an underlying path or resource.

If the value is null a raw HttpServletResponse.SC_UNAUTHORIZED response will be issued (401 Unauthorized), retaining default web server behavior.

Unless overridden by calling this method, the default value is null. If desired, you can specify a meaningful path within your application if you would like to show the user a 'nice' page in the event of unauthorized access.

Parameters:
unauthorizedUrl - the URL to which users should be redirected if they are denied access to an underlying path or resource, or null to a ensure raw HttpServletResponse.SC_UNAUTHORIZED response is issued (401 Unauthorized).

onAccessDenied

protected boolean onAccessDenied(ServletRequest request,
                                 ServletResponse response)
                          throws IOException
Handles the response when access has been denied. It behaves as follows: [1]: A Subject is 'known' when subject.getPrincipal() is not null, which implicitly means that the subject is either currently authenticated or they have been remembered via 'remember me' services.

Specified by:
onAccessDenied in class AccessControlFilter
Parameters:
request - the incoming ServletRequest
response - the outgoing ServletResponse
Returns:
false always for this implementation.
Throws:
IOException - if there is any servlet error.


Copyright © 2004-2014 The Apache Software Foundation. All Rights Reserved.