org.apache.shiro.web.filter.authz
Class HttpMethodPermissionFilter
java.lang.Object
org.apache.shiro.web.servlet.ServletContextSupport
org.apache.shiro.web.servlet.AbstractFilter
org.apache.shiro.web.servlet.NameableFilter
org.apache.shiro.web.servlet.OncePerRequestFilter
org.apache.shiro.web.servlet.AdviceFilter
org.apache.shiro.web.filter.PathMatchingFilter
org.apache.shiro.web.filter.AccessControlFilter
org.apache.shiro.web.filter.authz.AuthorizationFilter
org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter
org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter
- All Implemented Interfaces:
- Filter, Nameable, PathConfigProcessor
public class HttpMethodPermissionFilter
- extends PermissionsAuthorizationFilter
A filter that translates an HTTP Request's Method (eg GET, POST, etc)
into an corresponding action (verb) and uses that verb to construct a permission that will be checked to determine
access.
This Filter is primarily provided to support REST environments where the type (Method)
of request translates to an action being performed on one or more resources. This paradigm works well with Shiro's
concepts of using permissions for access control and can be leveraged to easily perform permission checks.
This filter functions as follows:
- The incoming HTTP request's Method (GET, POST, PUT, DELETE, etc) is discovered.
- The Method is translated into a more 'application friendly' verb, such as 'create', edit', 'delete', etc.
- The verb is appended to any configured permissions for the
currently matching path
.
- If the current
Subject
isPermitted
to
perform the resolved action, the request is allowed to continue.
For example, if the following filter chain was defined, where 'rest' was the name given to a filter instance of
this class:
/user/** = rest[user]
Then an HTTP GET
request to /user/1234
would translate to the constructed permission
user:read
(GET is mapped to the 'read' action) and execute the permission check
Subject.isPermitted("user:read")
in order to allow the request to continue.
Similarly, an HTTP POST
to /user
would translate to the constructed permission
user:create
(POST is mapped to the 'create' action) and execute the permission check
Subject.isPermitted("user:create")
in order to allow the request to continue.
Method To Verb Mapping
The following table represents the default HTTP Method-to-action verb mapping:
HTTP Method | Mapped Action | Example Permission | Runtime Check |
head | read | perm1 | perm1:read |
get | read | perm2 | perm2:read |
put | update | perm3 | perm3:update |
post | create | perm4 | perm4:create |
mkcol | create | perm5 | perm5:create |
options | read | perm6 | perm6:read |
trace | read | perm7 | perm7:read |
- Since:
- 1.0
Method Summary |
protected String[] |
buildPermissions(HttpServletRequest request,
String[] configuredPerms,
String action)
Returns a collection of String permissions with which to perform a permission check to determine if the filter
will allow the request to continue. |
protected String[] |
buildPermissions(String[] configuredPerms,
String action)
Builds a new array of permission strings based on the original argument, appending the specified action verb
to each one per WildcardPermission conventions. |
protected String |
getHttpMethodAction(ServletRequest request)
Determines the action (verb) attempting to be performed on the filtered resource by the current request. |
protected String |
getHttpMethodAction(String method)
Determines the corresponding application action that will be performed on the filtered resource based on the
specified HTTP method (GET, POST, etc). |
protected Map<String,String> |
getHttpMethodActions()
Returns the HTTP Method name (key) to action verb (value) mapping used to resolve actions based on an
incoming HttpServletRequest . |
boolean |
isAccessAllowed(ServletRequest request,
ServletResponse response,
Object mappedValue)
Resolves an 'application friendly' action verb based on the HttpServletRequest 's method, appends that
action to each configured permission (the mappedValue argument is a String[] array), and
delegates the permission check for the newly constructed permission(s) to the superclass
isAccessAllowed
implementation to perform the actual permission check. |
HttpMethodPermissionFilter
public HttpMethodPermissionFilter()
- Creates the filter instance with default method-to-action values in the instance's
http method actions map
.
getHttpMethodActions
protected Map<String,String> getHttpMethodActions()
- Returns the HTTP Method name (key) to action verb (value) mapping used to resolve actions based on an
incoming
HttpServletRequest
. All keys and values are lower-case. The
default key/value pairs are defined in the top class-level JavaDoc.
- Returns:
- the HTTP Method lower-case name (key) to lower-case action verb (value) mapping
getHttpMethodAction
protected String getHttpMethodAction(ServletRequest request)
- Determines the action (verb) attempting to be performed on the filtered resource by the current request.
This implementation expects the incoming request to be an
HttpServletRequest
and returns a mapped
action based on the HTTP request method
.
- Parameters:
request
- to pull the method from.
- Returns:
- The string equivalent verb of the http method.
getHttpMethodAction
protected String getHttpMethodAction(String method)
- Determines the corresponding application action that will be performed on the filtered resource based on the
specified HTTP method (GET, POST, etc).
- Parameters:
method
- to be translated into the verb.
- Returns:
- The string equivalent verb of the method.
buildPermissions
protected String[] buildPermissions(HttpServletRequest request,
String[] configuredPerms,
String action)
- Returns a collection of String permissions with which to perform a permission check to determine if the filter
will allow the request to continue.
This implementation merely delegates to
buildPermissions(String[], String)
and ignores the inbound
HTTP servlet request, but it can be overridden by subclasses for more complex request-specific building logic
if necessary.
- Parameters:
request
- the inbound HTTP request - ignored in this implementation, but available to
subclasses for more complex construction building logic if necessaryconfiguredPerms
- any url-specific permissions mapped to this filter in the URL rules mappings.action
- the application-friendly action (verb) resolved based on the HTTP Method name.
- Returns:
- a collection of String permissions with which to perform a permission check to determine if the filter
will allow the request to continue.
buildPermissions
protected String[] buildPermissions(String[] configuredPerms,
String action)
- Builds a new array of permission strings based on the original argument, appending the specified action verb
to each one per
WildcardPermission
conventions. The
built permission strings will be the ones used at runtime during the permission check that determines if filter
access should be allowed to continue or not.
For example, if the configuredPerms
argument contains the following 3 permission strings:
- permission:one
- permission:two
- permission:three
And the action is read
, then the return value will be:
- permission:one:read
- permission:two:read
- permission:three:read
per WildcardPermission
conventions. Subclasses
are of course free to override this method or the
buildPermissions
request
variant for custom building logic or with different permission formats.
- Parameters:
configuredPerms
- list of configuredPerms to be converted.action
- the resolved action based on the request method to be appended to permission strings.
- Returns:
- an array of permission strings with each element appended with the action.
isAccessAllowed
public boolean isAccessAllowed(ServletRequest request,
ServletResponse response,
Object mappedValue)
throws IOException
- Resolves an 'application friendly' action verb based on the
HttpServletRequest
's method, appends that
action to each configured permission (the mappedValue
argument is a String[]
array), and
delegates the permission check for the newly constructed permission(s) to the superclass
isAccessAllowed
implementation to perform the actual permission check.
- Overrides:
isAccessAllowed
in class PermissionsAuthorizationFilter
- Parameters:
request
- the inbound ServletRequest
response
- the outbound ServletResponse
mappedValue
- the filter-specific config value mapped to this filter in the URL rules mappings.
- Returns:
true
if the request should proceed through the filter normally, false
if the
request should be processed by this filter's
AccessControlFilter.onAccessDenied(ServletRequest,ServletResponse,Object)
method instead.
- Throws:
IOException
Copyright © 2004-2014 The Apache Software Foundation. All Rights Reserved.