001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing,
013 * software distributed under the License is distributed on an
014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015 * KIND, either express or implied.  See the License for the
016 * specific language governing permissions and limitations
017 * under the License.
018 */
019package org.apache.shiro.web.filter.authc;
020
021import javax.servlet.ServletRequest;
022import javax.servlet.ServletResponse;
023
024import org.apache.shiro.subject.Subject;
025import org.apache.shiro.web.filter.AccessControlFilter;
026
027/**
028 * Filter that allows access to resources if the accessor is a known user, which is defined as
029 * having a known principal.  This means that any user who is authenticated or remembered via a
030 * 'remember me' feature will be allowed access from this filter.
031 * <p/>
032 * If the accessor is not a known user, then they will be redirected to the {@link #setLoginUrl(String) loginUrl}</p>
033 *
034 * @since 0.9
035 */
036public class UserFilter extends AccessControlFilter {
037
038    /**
039     * Returns <code>true</code> if the request is a
040     * {@link #isLoginRequest(javax.servlet.ServletRequest, javax.servlet.ServletResponse) loginRequest} or
041     * if the current {@link #getSubject(javax.servlet.ServletRequest, javax.servlet.ServletResponse) subject}
042     * is not <code>null</code>, <code>false</code> otherwise.
043     *
044     * @return <code>true</code> if the request is a
045     * {@link #isLoginRequest(javax.servlet.ServletRequest, javax.servlet.ServletResponse) loginRequest} or
046     * if the current {@link #getSubject(javax.servlet.ServletRequest, javax.servlet.ServletResponse) subject}
047     * is not <code>null</code>, <code>false</code> otherwise.
048     */
049    protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
050        if (isLoginRequest(request, response)) {
051            return true;
052        } else {
053            Subject subject = getSubject(request, response);
054            // If principal is not null, then the user is known and should be allowed access.
055            return subject.getPrincipal() != null;
056        }
057    }
058
059    /**
060     * This default implementation simply calls
061     * {@link #saveRequestAndRedirectToLogin(javax.servlet.ServletRequest, javax.servlet.ServletResponse) saveRequestAndRedirectToLogin}
062     * and then immediately returns <code>false</code>, thereby preventing the chain from continuing so the redirect may
063     * execute.
064     */
065    protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
066        saveRequestAndRedirectToLogin(request, response);
067        return false;
068    }
069}