Package org.apache.shiro.web.filter
Class AccessControlFilter
-
- All Implemented Interfaces:
Filter,Nameable,PathConfigProcessor
- Direct Known Subclasses:
AuthenticationFilter,AuthorizationFilter,InvalidRequestFilter,UserFilter
public abstract class AccessControlFilter extends PathMatchingFilter
Superclass for any filter that controls access to a resource and may redirect the user to the login page if they are not authenticated. This superclass provides the methodsaveRequestAndRedirectToLogin(javax.servlet.ServletRequest, javax.servlet.ServletResponse)which is used by many subclasses as the behavior when a user is unauthenticated.- Since:
- 0.9
-
-
Field Summary
Fields Modifier and Type Field Description static StringDEFAULT_LOGIN_URLSimple default login URL equal to/login.jsp, which can be overridden by calling thesetLoginUrlmethod.static StringGET_METHODConstant representing the HTTP 'GET' request method, equal toGET.static StringPOST_METHODConstant representing the HTTP 'POST' request method, equal toPOST.-
Fields inherited from class org.apache.shiro.web.filter.PathMatchingFilter
appliedPaths, pathMatcher
-
Fields inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
ALREADY_FILTERED_SUFFIX
-
Fields inherited from class org.apache.shiro.web.servlet.AbstractFilter
filterConfig
-
-
Constructor Summary
Constructors Constructor Description AccessControlFilter()
-
Method Summary
All Methods Instance Methods Abstract Methods Concrete Methods Modifier and Type Method Description StringgetLoginUrl()Returns the login URL used to authenticate a user.protected SubjectgetSubject(ServletRequest request, ServletResponse response)Convenience method that acquires the Subject associated with the request.protected abstract booleanisAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue)Returnstrueif the request is allowed to proceed through the filter normally, orfalseif the request should be handled by theonAccessDenied(request,response,mappedValue)method instead.protected booleanisLoginRequest(ServletRequest request, ServletResponse response)Returnstrueif the incoming request is a login request,falseotherwise.protected abstract booleanonAccessDenied(ServletRequest request, ServletResponse response)Processes requests where the subject was denied access as determined by theisAccessAllowedmethod.protected booleanonAccessDenied(ServletRequest request, ServletResponse response, Object mappedValue)Processes requests where the subject was denied access as determined by theisAccessAllowedmethod, retaining themappedValuethat was used during configuration.booleanonPreHandle(ServletRequest request, ServletResponse response, Object mappedValue)ReturnstrueifisAccessAllowed(Request,Response,Object), otherwise returns the result ofonAccessDenied(Request,Response,Object).protected voidredirectToLogin(ServletRequest request, ServletResponse response)Convenience method for subclasses that merely acquires thegetLoginUrland redirects the request to that url.protected voidsaveRequest(ServletRequest request)Convenience method merely delegates toWebUtils.saveRequest(request)to save the request state for reuse later.protected voidsaveRequestAndRedirectToLogin(ServletRequest request, ServletResponse response)Convenience method for subclasses to use when a login redirect is required.voidsetLoginUrl(String loginUrl)Sets the login URL used to authenticate a user.-
Methods inherited from class org.apache.shiro.web.filter.PathMatchingFilter
getPathWithinApplication, isEnabled, pathsMatch, pathsMatch, preHandle, processPathConfig
-
Methods inherited from class org.apache.shiro.web.servlet.AdviceFilter
afterCompletion, cleanup, doFilterInternal, executeChain, postHandle
-
Methods inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
doFilter, getAlreadyFilteredAttributeName, isEnabled, isEnabled, isFilterOncePerRequest, setEnabled, setFilterOncePerRequest, shouldNotFilter
-
Methods inherited from class org.apache.shiro.web.servlet.NameableFilter
getName, setName, toStringBuilder
-
Methods inherited from class org.apache.shiro.web.servlet.AbstractFilter
destroy, getFilterConfig, getInitParam, init, onFilterConfigSet, setFilterConfig
-
Methods inherited from class org.apache.shiro.web.servlet.ServletContextSupport
getContextAttribute, getContextInitParam, getServletContext, removeContextAttribute, setContextAttribute, setServletContext, toString
-
-
-
-
Field Detail
-
DEFAULT_LOGIN_URL
public static final String DEFAULT_LOGIN_URL
Simple default login URL equal to/login.jsp, which can be overridden by calling thesetLoginUrlmethod.- See Also:
- Constant Field Values
-
GET_METHOD
public static final String GET_METHOD
Constant representing the HTTP 'GET' request method, equal toGET.- See Also:
- Constant Field Values
-
POST_METHOD
public static final String POST_METHOD
Constant representing the HTTP 'POST' request method, equal toPOST.- See Also:
- Constant Field Values
-
-
Constructor Detail
-
AccessControlFilter
public AccessControlFilter()
-
-
Method Detail
-
getLoginUrl
public String getLoginUrl()
Returns the login URL used to authenticate a user. Most Shiro filters use this url as the location to redirect a user when the filter requires authentication. Unless overridden, theDEFAULT_LOGIN_URLis assumed, which can be overridden viasetLoginUrl.- Returns:
- the login URL used to authenticate a user, used when redirecting users if authentication is required.
-
setLoginUrl
public void setLoginUrl(String loginUrl)
Sets the login URL used to authenticate a user. Most Shiro filters use this url as the location to redirect a user when the filter requires authentication. Unless overridden, theDEFAULT_LOGIN_URLis assumed.- Parameters:
loginUrl- the login URL used to authenticate a user, used when redirecting users if authentication is required.
-
getSubject
protected Subject getSubject(ServletRequest request, ServletResponse response)
Convenience method that acquires the Subject associated with the request. The default implementation simply returnsSecurityUtils.getSubject().- Parameters:
request- the incomingServletRequestresponse- the outgoingServletResponse- Returns:
- the Subject associated with the request.
-
isAccessAllowed
protected abstract boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception
Returnstrueif the request is allowed to proceed through the filter normally, orfalseif the request should be handled by theonAccessDenied(request,response,mappedValue)method instead.- Parameters:
request- the incomingServletRequestresponse- the outgoingServletResponsemappedValue- the filter-specific config value mapped to this filter in the URL rules mappings.- Returns:
trueif the request should proceed through the filter normally,falseif the request should be processed by this filter'sonAccessDenied(ServletRequest,ServletResponse,Object)method instead.- Throws:
Exception- if an error occurs during processing.
-
onAccessDenied
protected boolean onAccessDenied(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception
Processes requests where the subject was denied access as determined by theisAccessAllowedmethod, retaining themappedValuethat was used during configuration. This method immediately delegates toonAccessDenied(ServletRequest,ServletResponse)as a convenience in that most post-denial behavior does not need the mapped config again.- Parameters:
request- the incomingServletRequestresponse- the outgoingServletResponsemappedValue- the config specified for the filter in the matching request's filter chain.- Returns:
trueif the request should continue to be processed; false if the subclass will handle/render the response directly.- Throws:
Exception- if there is an error processing the request.- Since:
- 1.0
-
onAccessDenied
protected abstract boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception
Processes requests where the subject was denied access as determined by theisAccessAllowedmethod.- Parameters:
request- the incomingServletRequestresponse- the outgoingServletResponse- Returns:
trueif the request should continue to be processed; false if the subclass will handle/render the response directly.- Throws:
Exception- if there is an error processing the request.
-
onPreHandle
public boolean onPreHandle(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception
ReturnstrueifisAccessAllowed(Request,Response,Object), otherwise returns the result ofonAccessDenied(Request,Response,Object).- Overrides:
onPreHandlein classPathMatchingFilter- Parameters:
request- the incoming ServletRequestresponse- the outgoing ServletResponsemappedValue- the filter-specific config value mapped to this filter in the URL rules mappings.- Returns:
trueifisAccessAllowed, otherwise returns the result ofonAccessDenied.- Throws:
Exception- if an error occurs.- See Also:
PathMatchingFilter.isEnabled(javax.servlet.ServletRequest, javax.servlet.ServletResponse, String, Object)
-
isLoginRequest
protected boolean isLoginRequest(ServletRequest request, ServletResponse response)
Returnstrueif the incoming request is a login request,falseotherwise. The default implementation merely returnstrueif the incoming request matches the configuredloginUrlby callingpathsMatch(loginUrl, request)- Parameters:
request- the incomingServletRequestresponse- the outgoingServletResponse- Returns:
trueif the incoming request is a login request,falseotherwise.
-
saveRequestAndRedirectToLogin
protected void saveRequestAndRedirectToLogin(ServletRequest request, ServletResponse response) throws IOException
Convenience method for subclasses to use when a login redirect is required. This implementation simply callssaveRequest(request)and thenredirectToLogin(request,response).- Parameters:
request- the incomingServletRequestresponse- the outgoingServletResponse- Throws:
IOException- if an error occurs.
-
saveRequest
protected void saveRequest(ServletRequest request)
Convenience method merely delegates toWebUtils.saveRequest(request)to save the request state for reuse later. This is mostly used to retain user request state when a redirect is issued to return the user to their originally requested url/resource. If you need to save and then immediately redirect the user to login, consider usingsaveRequestAndRedirectToLogin(request,response)directly.- Parameters:
request- the incoming ServletRequest to save for re-use later (for example, after a redirect).
-
redirectToLogin
protected void redirectToLogin(ServletRequest request, ServletResponse response) throws IOException
Convenience method for subclasses that merely acquires thegetLoginUrland redirects the request to that url. N.B. If you want to issue a redirect with the intention of allowing the user to then return to their originally requested URL, don't use this method directly. Instead you should callsaveRequestAndRedirectToLogin(request,response), which will save the current request state so that it can be reconstructed and re-used after a successful login.- Parameters:
request- the incomingServletRequestresponse- the outgoingServletResponse- Throws:
IOException- if an error occurs.
-
-