org.apache.shiro.web.filter.authc

Class AuthenticatingFilter

java.lang.Object

org.apache.shiro.web.servlet.ServletContextSupport

org.apache.shiro.web.servlet.AbstractFilter

org.apache.shiro.web.servlet.NameableFilter

org.apache.shiro.web.servlet.OncePerRequestFilter

org.apache.shiro.web.servlet.AdviceFilter

org.apache.shiro.web.filter.PathMatchingFilter

org.apache.shiro.web.filter.AccessControlFilter

org.apache.shiro.web.filter.authc.AuthenticationFilter

org.apache.shiro.web.filter.authc.AuthenticatingFilter

All Implemented Interfaces:

javax.servlet.Filter, Nameable, PathConfigProcessor

Direct Known Subclasses:

BasicHttpAuthenticationFilter, CasFilter, FormAuthenticationFilter

public abstract class AuthenticatingFilter
extends AuthenticationFilter

An AuthenticationFilter that is capable of automatically performing an authentication attempt based on the incoming request.

Since:

0.9

Field Summary

Fields

Modifier and Type	Field and Description
static String	PERMISSIVE

Fields inherited from class org.apache.shiro.web.filter.authc.AuthenticationFilter

DEFAULT_SUCCESS_URL

Fields inherited from class org.apache.shiro.web.filter.AccessControlFilter

DEFAULT_LOGIN_URL, GET_METHOD, POST_METHOD

Fields inherited from class org.apache.shiro.web.filter.PathMatchingFilter

appliedPaths, pathMatcher

Fields inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter

ALREADY_FILTERED_SUFFIX

Fields inherited from class org.apache.shiro.web.servlet.AbstractFilter

filterConfig

Constructor Summary

Constructors

Constructor and Description
AuthenticatingFilter()

Method Summary

Modifier and Type	Method and Description
protected void	cleanup(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, Exception existing) Overrides the default behavior to call AccessControlFilter.onAccessDenied(javax.servlet.ServletRequest, javax.servlet.ServletResponse, java.lang.Object) and swallow the exception if the exception is UnauthenticatedException.
protected abstract AuthenticationToken	createToken(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response)
protected AuthenticationToken	createToken(String username, String password, boolean rememberMe, String host)
protected AuthenticationToken	createToken(String username, String password, javax.servlet.ServletRequest request, javax.servlet.ServletResponse response)
protected boolean	executeLogin(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response)
protected String	getHost(javax.servlet.ServletRequest request) Returns the host name or IP associated with the current subject.
protected boolean	isAccessAllowed(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, Object mappedValue) Determines whether the current subject should be allowed to make the current request.
protected boolean	isPermissive(Object mappedValue) Returns true if the mappedValue contains the PERMISSIVE qualifier.
protected boolean	isRememberMe(javax.servlet.ServletRequest request) Returns true if "rememberMe" should be enabled for the login attempt associated with the current request, false otherwise.
protected boolean	onLoginFailure(AuthenticationToken token, AuthenticationException e, javax.servlet.ServletRequest request, javax.servlet.ServletResponse response)
protected boolean	onLoginSuccess(AuthenticationToken token, Subject subject, javax.servlet.ServletRequest request, javax.servlet.ServletResponse response)

Methods inherited from class org.apache.shiro.web.filter.authc.AuthenticationFilter

getSuccessUrl, issueSuccessRedirect, setSuccessUrl

Methods inherited from class org.apache.shiro.web.filter.AccessControlFilter

getLoginUrl, getSubject, isLoginRequest, onAccessDenied, onAccessDenied, onPreHandle, redirectToLogin, saveRequest, saveRequestAndRedirectToLogin, setLoginUrl

Methods inherited from class org.apache.shiro.web.filter.PathMatchingFilter

getPathWithinApplication, isEnabled, pathsMatch, pathsMatch, preHandle, processPathConfig

Methods inherited from class org.apache.shiro.web.servlet.AdviceFilter

afterCompletion, doFilterInternal, executeChain, postHandle

Methods inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter

doFilter, getAlreadyFilteredAttributeName, isEnabled, isEnabled, setEnabled, shouldNotFilter

Methods inherited from class org.apache.shiro.web.servlet.NameableFilter

getName, setName, toStringBuilder

Methods inherited from class org.apache.shiro.web.servlet.AbstractFilter

destroy, getFilterConfig, getInitParam, init, onFilterConfigSet, setFilterConfig

Methods inherited from class org.apache.shiro.web.servlet.ServletContextSupport

getContextAttribute, getContextInitParam, getServletContext, removeContextAttribute, setContextAttribute, setServletContext, toString

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

PERMISSIVE

public static final String PERMISSIVE

See Also:

Constant Field Values

Constructor Detail

AuthenticatingFilter

public AuthenticatingFilter()

Method Detail

executeLogin

protected boolean executeLogin(javax.servlet.ServletRequest request,
                               javax.servlet.ServletResponse response)
                        throws Exception

Throws:

Exception

createToken

protected abstract AuthenticationToken createToken(javax.servlet.ServletRequest request,
                                                   javax.servlet.ServletResponse response)
                                            throws Exception

Throws:

Exception

createToken

protected AuthenticationToken createToken(String username,
                                          String password,
                                          javax.servlet.ServletRequest request,
                                          javax.servlet.ServletResponse response)

createToken

protected AuthenticationToken createToken(String username,
                                          String password,
                                          boolean rememberMe,
                                          String host)

onLoginSuccess

protected boolean onLoginSuccess(AuthenticationToken token,
                                 Subject subject,
                                 javax.servlet.ServletRequest request,
                                 javax.servlet.ServletResponse response)
                          throws Exception

Throws:

Exception

onLoginFailure

protected boolean onLoginFailure(AuthenticationToken token,
                                 AuthenticationException e,
                                 javax.servlet.ServletRequest request,
                                 javax.servlet.ServletResponse response)

getHost

protected String getHost(javax.servlet.ServletRequest request)

Returns the host name or IP associated with the current subject. This method is primarily provided for use during construction of an AuthenticationToken.

The default implementation merely returns ServletRequest.getRemoteHost().

Parameters:

request - the incoming ServletRequest

Returns:

the InetAddress to associate with the login attempt.

isRememberMe

protected boolean isRememberMe(javax.servlet.ServletRequest request)

Returns true if "rememberMe" should be enabled for the login attempt associated with the current request, false otherwise.

This implementation always returns false and is provided as a template hook to subclasses that support rememberMe logins and wish to determine rememberMe in a custom mannner based on the current request.

Parameters:

request - the incoming ServletRequest

Returns:

true if "rememberMe" should be enabled for the login attempt associated with the current request, false otherwise.

isAccessAllowed

protected boolean isAccessAllowed(javax.servlet.ServletRequest request,
                                  javax.servlet.ServletResponse response,
                                  Object mappedValue)

Determines whether the current subject should be allowed to make the current request.

The default implementation returns true if the user is authenticated. Will also return true if the AccessControlFilter.isLoginRequest(javax.servlet.ServletRequest, javax.servlet.ServletResponse) returns false and the "permissive" flag is set.

Overrides:

isAccessAllowed in class AuthenticationFilter

Parameters:

request - the incoming ServletRequest

response - the outgoing ServletResponse

mappedValue - the filter-specific config value mapped to this filter in the URL rules mappings.

Returns:

true if request should be allowed access

isPermissive

protected boolean isPermissive(Object mappedValue)

Returns true if the mappedValue contains the PERMISSIVE qualifier.

Returns:

true if this filter should be permissive

cleanup

protected void cleanup(javax.servlet.ServletRequest request,
                       javax.servlet.ServletResponse response,
                       Exception existing)
                throws javax.servlet.ServletException,
                       IOException

Overrides the default behavior to call AccessControlFilter.onAccessDenied(javax.servlet.ServletRequest, javax.servlet.ServletResponse, java.lang.Object) and swallow the exception if the exception is UnauthenticatedException.

Overrides:

cleanup in class AdviceFilter

Parameters:

request - the incoming ServletRequest

response - the outgoing ServletResponse

existing - any exception that might have occurred while executing the FilterChain or pre or post advice, or null if the pre/chain/post execution did not throw an Exception.

Throws:

javax.servlet.ServletException - if any exception other than an IOException is thrown.

IOException - if the pre/chain/post execution throw an IOException