org.apache.shiro.web.servlet
Class AbstractShiroFilter

java.lang.Object
  extended by org.apache.shiro.web.servlet.ServletContextSupport
      extended by org.apache.shiro.web.servlet.AbstractFilter
          extended by org.apache.shiro.web.servlet.NameableFilter
              extended by org.apache.shiro.web.servlet.OncePerRequestFilter
                  extended by org.apache.shiro.web.servlet.AbstractShiroFilter
All Implemented Interfaces:
Filter, Nameable
Direct Known Subclasses:
GuiceShiroFilter, IniShiroFilter, ShiroFilter

public abstract class AbstractShiroFilter
extends OncePerRequestFilter

Abstract base class that provides all standard Shiro request filtering behavior and expects subclasses to implement configuration-specific logic (INI, XML, .properties, etc).

Subclasses should perform configuration and construction logic in an overridden init() method implementation. That implementation should make available any constructed SecurityManager and FilterChainResolver by calling setSecurityManager(org.apache.shiro.web.mgt.WebSecurityManager) and setFilterChainResolver(org.apache.shiro.web.filter.mgt.FilterChainResolver) methods respectively.

Static SecurityManager

By default the SecurityManager instance enabled by this filter will not be enabled in static memory via the SecurityUtils.setSecurityManager method. Instead, it is expected that Subject instances will always be constructed on a request-processing thread via instances of this Filter class.

However, if you need to construct Subject instances on separate (non request-processing) threads, it might be easiest to enable the SecurityManager to be available in static memory via the SecurityUtils.getSecurityManager() method. You can do this by additionally specifying an init-param:

 <filter>
     ... other config here ...
     <init-param>
         <param-name>staticSecurityManagerEnabled</param-name>
         <param-value>true</param-value>
     </init-param>
 </filter>
 
See the Shiro Subject documentation for more information as to if you would do this, particularly the sections on the Subject.Builder and Thread Association.

Since:
1.0
See Also:
Subject documentation

Field Summary
 
Fields inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
ALREADY_FILTERED_SUFFIX
 
Fields inherited from class org.apache.shiro.web.servlet.AbstractFilter
filterConfig
 
Constructor Summary
protected AbstractShiroFilter()
           
 
Method Summary
protected  WebSecurityManager createDefaultSecurityManager()
           
protected  WebSubject createSubject(ServletRequest request, ServletResponse response)
          Creates a WebSubject instance to associate with the incoming request/response pair which will be used throughout the request/response execution.
protected  void doFilterInternal(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain)
          doFilterInternal implementation that sets-up, executes, and cleans-up a Shiro-filtered request.
protected  void executeChain(ServletRequest request, ServletResponse response, FilterChain origChain)
          Executes a FilterChain for the given request.
protected  FilterChain getExecutionChain(ServletRequest request, ServletResponse response, FilterChain origChain)
          Returns the FilterChain to execute for the given request.
 FilterChainResolver getFilterChainResolver()
           
 WebSecurityManager getSecurityManager()
           
 void init()
           
protected  boolean isHttpSessions()
           
 boolean isStaticSecurityManagerEnabled()
          Returns true if the constructed securityManager reference should be bound to static memory (via SecurityUtils.setSecurityManager), false otherwise.
protected  void onFilterConfigSet()
          Template method to be overridden by subclasses to perform initialization logic at start-up.
protected  ServletRequest prepareServletRequest(ServletRequest request, ServletResponse response, FilterChain chain)
          Prepares the ServletRequest instance that will be passed to the FilterChain for request processing.
protected  ServletResponse prepareServletResponse(ServletRequest request, ServletResponse response, FilterChain chain)
          Prepares the ServletResponse instance that will be passed to the FilterChain for request processing.
 void setFilterChainResolver(FilterChainResolver filterChainResolver)
           
 void setSecurityManager(WebSecurityManager sm)
           
 void setStaticSecurityManagerEnabled(boolean staticSecurityManagerEnabled)
          Sets if the constructed securityManager reference should be bound to static memory (via SecurityUtils.setSecurityManager).
protected  void updateSessionLastAccessTime(ServletRequest request, ServletResponse response)
          Updates any 'native' Session's last access time that might exist to the timestamp when this method is called.
protected  ServletRequest wrapServletRequest(HttpServletRequest orig)
          Wraps the original HttpServletRequest in a ShiroHttpServletRequest, which is required for supporting Servlet Specification behavior backed by a Subject instance.
protected  ServletResponse wrapServletResponse(HttpServletResponse orig, ShiroHttpServletRequest request)
          Returns a new ShiroHttpServletResponse instance, wrapping the orig argument, in order to provide correct URL rewriting behavior required by the Servlet Specification when using Shiro-based sessions (and not Servlet Container HTTP-based sessions).
 
Methods inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
doFilter, getAlreadyFilteredAttributeName, isEnabled, isEnabled, setEnabled, shouldNotFilter
 
Methods inherited from class org.apache.shiro.web.servlet.NameableFilter
getName, setName, toStringBuilder
 
Methods inherited from class org.apache.shiro.web.servlet.AbstractFilter
destroy, getFilterConfig, getInitParam, init, setFilterConfig
 
Methods inherited from class org.apache.shiro.web.servlet.ServletContextSupport
getContextAttribute, getContextInitParam, getServletContext, removeContextAttribute, setContextAttribute, setServletContext, toString
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
 

Constructor Detail

AbstractShiroFilter

protected AbstractShiroFilter()
Method Detail

getSecurityManager

public WebSecurityManager getSecurityManager()

setSecurityManager

public void setSecurityManager(WebSecurityManager sm)

getFilterChainResolver

public FilterChainResolver getFilterChainResolver()

setFilterChainResolver

public void setFilterChainResolver(FilterChainResolver filterChainResolver)

isStaticSecurityManagerEnabled

public boolean isStaticSecurityManagerEnabled()
Returns true if the constructed securityManager reference should be bound to static memory (via SecurityUtils.setSecurityManager), false otherwise.

The default value is false.

Returns:
true if the constructed securityManager reference should be bound to static memory (via SecurityUtils.setSecurityManager), false otherwise.
Since:
1.2
See Also:
SHIRO-287

setStaticSecurityManagerEnabled

public void setStaticSecurityManagerEnabled(boolean staticSecurityManagerEnabled)
Sets if the constructed securityManager reference should be bound to static memory (via SecurityUtils.setSecurityManager).

The default value is false.

Parameters:
staticSecurityManagerEnabled - if the constructed securityManager reference should be bound to static memory (via SecurityUtils.setSecurityManager).
Since:
1.2
See Also:
SHIRO-287

onFilterConfigSet

protected final void onFilterConfigSet()
                                throws Exception
Description copied from class: AbstractFilter
Template method to be overridden by subclasses to perform initialization logic at start-up. The ServletContext and FilterConfig will be accessible (and non-null) at the time this method is invoked via the getServletContext() and getFilterConfig() methods respectively.

init-param values may be conveniently obtained via the AbstractFilter.getInitParam(String) method.

Overrides:
onFilterConfigSet in class AbstractFilter
Throws:
Exception - if the subclass has an error upon initialization.

init

public void init()
          throws Exception
Throws:
Exception

createDefaultSecurityManager

protected WebSecurityManager createDefaultSecurityManager()

isHttpSessions

protected boolean isHttpSessions()

wrapServletRequest

protected ServletRequest wrapServletRequest(HttpServletRequest orig)
Wraps the original HttpServletRequest in a ShiroHttpServletRequest, which is required for supporting Servlet Specification behavior backed by a Subject instance.

Parameters:
orig - the original Servlet Container-provided incoming HttpServletRequest instance.
Returns:
ShiroHttpServletRequest instance wrapping the original.
Since:
1.0

prepareServletRequest

protected ServletRequest prepareServletRequest(ServletRequest request,
                                               ServletResponse response,
                                               FilterChain chain)
Prepares the ServletRequest instance that will be passed to the FilterChain for request processing.

If the ServletRequest is an instance of HttpServletRequest, the value returned from this method is obtained by calling wrapServletRequest(javax.servlet.http.HttpServletRequest) to allow Shiro-specific HTTP behavior, otherwise the original ServletRequest argument is returned.

Parameters:
request - the incoming ServletRequest
response - the outgoing ServletResponse
chain - the Servlet Container provided FilterChain that will receive the returned request.
Returns:
the ServletRequest instance that will be passed to the FilterChain for request processing.
Since:
1.0

wrapServletResponse

protected ServletResponse wrapServletResponse(HttpServletResponse orig,
                                              ShiroHttpServletRequest request)
Returns a new ShiroHttpServletResponse instance, wrapping the orig argument, in order to provide correct URL rewriting behavior required by the Servlet Specification when using Shiro-based sessions (and not Servlet Container HTTP-based sessions).

Parameters:
orig - the original HttpServletResponse instance provided by the Servlet Container.
request - the ShiroHttpServletRequest instance wrapping the original request.
Returns:
the wrapped ServletResponse instance to use during FilterChain execution.
Since:
1.0

prepareServletResponse

protected ServletResponse prepareServletResponse(ServletRequest request,
                                                 ServletResponse response,
                                                 FilterChain chain)
Prepares the ServletResponse instance that will be passed to the FilterChain for request processing.

This implementation delegates to wrapServletRequest(javax.servlet.http.HttpServletRequest) only if Shiro-based sessions are enabled (that is, !isHttpSessions()) and the request instance is a ShiroHttpServletRequest. This ensures that any URL rewriting that occurs is handled correctly using the Shiro-managed Session's sessionId and not a servlet container session ID.

If HTTP-based sessions are enabled (the default), then this method does nothing and just returns the ServletResponse argument as-is, relying on the default Servlet Container URL rewriting logic.

Parameters:
request - the incoming ServletRequest
response - the outgoing ServletResponse
chain - the Servlet Container provided FilterChain that will receive the returned request.
Returns:
the ServletResponse instance that will be passed to the FilterChain during request processing.
Since:
1.0

createSubject

protected WebSubject createSubject(ServletRequest request,
                                   ServletResponse response)
Creates a WebSubject instance to associate with the incoming request/response pair which will be used throughout the request/response execution.

Parameters:
request - the incoming ServletRequest
response - the outgoing ServletResponse
Returns:
the WebSubject instance to associate with the request/response execution
Since:
1.0

updateSessionLastAccessTime

protected void updateSessionLastAccessTime(ServletRequest request,
                                           ServletResponse response)
Updates any 'native' Session's last access time that might exist to the timestamp when this method is called. If native sessions are not enabled (that is, standard Servlet container sessions are being used) or there is no session (subject.getSession(false) == null), this method does nothing.

This method implementation merely calls Session.touch() on the session.

Parameters:
request - incoming request - ignored, but available to subclasses that might wish to override this method
response - outgoing response - ignored, but available to subclasses that might wish to override this method
Since:
1.0

doFilterInternal

protected void doFilterInternal(ServletRequest servletRequest,
                                ServletResponse servletResponse,
                                FilterChain chain)
                         throws ServletException,
                                IOException
doFilterInternal implementation that sets-up, executes, and cleans-up a Shiro-filtered request. It performs the following ordered operations:
  1. Prepares the incoming ServletRequest for use during Shiro's processing
  2. Prepares the outgoing ServletResponse for use during Shiro's processing
  3. Creates a Subject instance based on the specified request/response pair.
  4. Finally executes the updateSessionLastAccessTime(javax.servlet.ServletRequest, javax.servlet.ServletResponse) and executeChain(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain) methods

The Subject.execute(Runnable) call in step #4 is used as an implementation technique to guarantee proper thread binding and restoration is completed successfully.

Specified by:
doFilterInternal in class OncePerRequestFilter
Parameters:
servletRequest - the incoming ServletRequest
servletResponse - the outgoing ServletResponse
chain - the container-provided FilterChain to execute
Throws:
IOException - if an IO error occurs
ServletException - if an Throwable other than an IOException

getExecutionChain

protected FilterChain getExecutionChain(ServletRequest request,
                                        ServletResponse response,
                                        FilterChain origChain)
Returns the FilterChain to execute for the given request.

The origChain argument is the original FilterChain supplied by the Servlet Container, but it may be modified to provide more behavior by pre-pending further chains according to the Shiro configuration.

This implementation returns the chain that will actually be executed by acquiring the chain from a filterChainResolver. The resolver determines exactly which chain to execute, typically based on URL configuration. If no chain is returned from the resolver call (returns null), then the origChain will be returned by default.

Parameters:
request - the incoming ServletRequest
response - the outgoing ServletResponse
origChain - the original FilterChain provided by the Servlet Container
Returns:
the FilterChain to execute for the given request
Since:
1.0

executeChain

protected void executeChain(ServletRequest request,
                            ServletResponse response,
                            FilterChain origChain)
                     throws IOException,
                            ServletException
Executes a FilterChain for the given request.

This implementation first delegates to getExecutionChain to allow the application's Shiro configuration to determine exactly how the chain should execute. The resulting value from that call is then executed directly by calling the returned FilterChain's doFilter method. That is:

 FilterChain chain = getExecutionChain(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)(request, response, origChain);
 chain.doFilter(request,response);

Parameters:
request - the incoming ServletRequest
response - the outgoing ServletResponse
origChain - the Servlet Container-provided chain that may be wrapped further by an application-configured chain of Filters.
Throws:
IOException - if the underlying chain.doFilter call results in an IOException
ServletException - if the underlying chain.doFilter call results in a ServletException
Since:
1.0


Copyright © 2004-2014 The Apache Software Foundation. All Rights Reserved.