org.apache.shiro.web.filter
Class AccessControlFilter

java.lang.Object
  org.apache.shiro.web.servlet.ServletContextSupport
      org.apache.shiro.web.servlet.AbstractFilter
          org.apache.shiro.web.servlet.NameableFilter
              org.apache.shiro.web.servlet.OncePerRequestFilter
                  org.apache.shiro.web.servlet.AdviceFilter
                      org.apache.shiro.web.filter.PathMatchingFilter
                          org.apache.shiro.web.filter.AccessControlFilter

All Implemented Interfaces:

Filter, Nameable, PathConfigProcessor

Direct Known Subclasses:

AuthenticationFilter, AuthorizationFilter, UserFilter

public abstract class AccessControlFilter
extends PathMatchingFilter

Superclass for any filter that controls access to a resource and may redirect the user to the login page if they are not authenticated. This superclass provides the method saveRequestAndRedirectToLogin(javax.servlet.ServletRequest, javax.servlet.ServletResponse) which is used by many subclasses as the behavior when a user is unauthenticated.

Since:

0.9

Field Summary

static String	DEFAULT_LOGIN_URL Simple default login URL equal to /login.jsp, which can be overridden by calling the setLoginUrl method.
static String	GET_METHOD Constant representing the HTTP 'GET' request method, equal to GET.
static String	POST_METHOD Constant representing the HTTP 'POST' request method, equal to POST.

Fields inherited from class org.apache.shiro.web.filter.PathMatchingFilter

appliedPaths, pathMatcher

Fields inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter

ALREADY_FILTERED_SUFFIX

Fields inherited from class org.apache.shiro.web.servlet.AbstractFilter

filterConfig

Constructor Summary

AccessControlFilter()

Method Summary

String	getLoginUrl() Returns the login URL used to authenticate a user.
protected Subject	getSubject(ServletRequest request, ServletResponse response) Convenience method that acquires the Subject associated with the request.
protected abstract boolean	isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) Returns true if the request is allowed to proceed through the filter normally, or false if the request should be handled by the onAccessDenied(request,response,mappedValue) method instead.
protected boolean	isLoginRequest(ServletRequest request, ServletResponse response) Returns true if the incoming request is a login request, false otherwise.
protected abstract boolean	onAccessDenied(ServletRequest request, ServletResponse response) Processes requests where the subject was denied access as determined by the isAccessAllowed method.
protected boolean	onAccessDenied(ServletRequest request, ServletResponse response, Object mappedValue) Processes requests where the subject was denied access as determined by the isAccessAllowed method, retaining the mappedValue that was used during configuration.
boolean	onPreHandle(ServletRequest request, ServletResponse response, Object mappedValue) Returns true if isAccessAllowed(Request,Response,Object), otherwise returns the result of onAccessDenied(Request,Response,Object).
protected void	redirectToLogin(ServletRequest request, ServletResponse response) Convenience method for subclasses that merely acquires the getLoginUrl and redirects the request to that url.
protected void	saveRequest(ServletRequest request) Convenience method merely delegates to WebUtils.saveRequest(request) to save the request state for reuse later.
protected void	saveRequestAndRedirectToLogin(ServletRequest request, ServletResponse response) Convenience method for subclasses to use when a login redirect is required.
void	setLoginUrl(String loginUrl) Sets the login URL used to authenticate a user.

Methods inherited from class org.apache.shiro.web.filter.PathMatchingFilter

getPathWithinApplication, isEnabled, pathsMatch, pathsMatch, preHandle, processPathConfig

Methods inherited from class org.apache.shiro.web.servlet.AdviceFilter

afterCompletion, cleanup, doFilterInternal, executeChain, postHandle

Methods inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter

doFilter, getAlreadyFilteredAttributeName, isEnabled, isEnabled, setEnabled, shouldNotFilter

Methods inherited from class org.apache.shiro.web.servlet.NameableFilter

getName, setName, toStringBuilder

Methods inherited from class org.apache.shiro.web.servlet.AbstractFilter

destroy, getFilterConfig, getInitParam, init, onFilterConfigSet, setFilterConfig

Methods inherited from class org.apache.shiro.web.servlet.ServletContextSupport

getContextAttribute, getContextInitParam, getServletContext, removeContextAttribute, setContextAttribute, setServletContext, toString

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

DEFAULT_LOGIN_URL

public static final String DEFAULT_LOGIN_URL

Simple default login URL equal to /login.jsp, which can be overridden by calling the setLoginUrl method.

See Also:

Constant Field Values

GET_METHOD

public static final String GET_METHOD

Constant representing the HTTP 'GET' request method, equal to GET.

See Also:

Constant Field Values

POST_METHOD

public static final String POST_METHOD

Constant representing the HTTP 'POST' request method, equal to POST.

See Also:

Constant Field Values

Constructor Detail

AccessControlFilter

public AccessControlFilter()

Method Detail

getLoginUrl

public String getLoginUrl()

Returns the login URL used to authenticate a user.

Most Shiro filters use this url as the location to redirect a user when the filter requires authentication. Unless overridden, the DEFAULT_LOGIN_URL is assumed, which can be overridden via setLoginUrl.

Returns:

the login URL used to authenticate a user, used when redirecting users if authentication is required.

setLoginUrl

public void setLoginUrl(String loginUrl)

Sets the login URL used to authenticate a user.

Most Shiro filters use this url as the location to redirect a user when the filter requires authentication. Unless overridden, the DEFAULT_LOGIN_URL is assumed.

Parameters:

loginUrl - the login URL used to authenticate a user, used when redirecting users if authentication is required.

getSubject

protected Subject getSubject(ServletRequest request,
                             ServletResponse response)

Convenience method that acquires the Subject associated with the request.

The default implementation simply returns SecurityUtils.getSubject().

Parameters:

request - the incoming ServletRequest

response - the outgoing ServletResponse

Returns:

the Subject associated with the request.

isAccessAllowed

protected abstract boolean isAccessAllowed(ServletRequest request,
                                           ServletResponse response,
                                           Object mappedValue)
                                    throws Exception

Returns true if the request is allowed to proceed through the filter normally, or false if the request should be handled by the onAccessDenied(request,response,mappedValue) method instead.

Parameters:

request - the incoming ServletRequest

response - the outgoing ServletResponse

mappedValue - the filter-specific config value mapped to this filter in the URL rules mappings.

Returns:

true if the request should proceed through the filter normally, false if the request should be processed by this filter's onAccessDenied(ServletRequest,ServletResponse,Object) method instead.

Throws:

Exception - if an error occurs during processing.

onAccessDenied

protected boolean onAccessDenied(ServletRequest request,
                                 ServletResponse response,
                                 Object mappedValue)
                          throws Exception

Processes requests where the subject was denied access as determined by the isAccessAllowed method, retaining the mappedValue that was used during configuration.

This method immediately delegates to onAccessDenied(ServletRequest,ServletResponse) as a convenience in that most post-denial behavior does not need the mapped config again.

Parameters:

request - the incoming ServletRequest

response - the outgoing ServletResponse

mappedValue - the config specified for the filter in the matching request's filter chain.

Returns:

true if the request should continue to be processed; false if the subclass will handle/render the response directly.

Throws:

Exception - if there is an error processing the request.

Since:

1.0

onAccessDenied

protected abstract boolean onAccessDenied(ServletRequest request,
                                          ServletResponse response)
                                   throws Exception

Processes requests where the subject was denied access as determined by the isAccessAllowed method.

Parameters:

request - the incoming ServletRequest

response - the outgoing ServletResponse

Returns:

true if the request should continue to be processed; false if the subclass will handle/render the response directly.

Throws:

Exception - if there is an error processing the request.

onPreHandle

public boolean onPreHandle(ServletRequest request,
                           ServletResponse response,
                           Object mappedValue)
                    throws Exception

Returns true if isAccessAllowed(Request,Response,Object), otherwise returns the result of onAccessDenied(Request,Response,Object).

Overrides:

onPreHandle in class PathMatchingFilter

Parameters:

request - the incoming ServletRequest

response - the outgoing ServletResponse

mappedValue - the filter-specific config value mapped to this filter in the URL rules mappings.

Returns:

true if isAccessAllowed, otherwise returns the result of onAccessDenied.

Throws:

Exception - if an error occurs.

See Also:

PathMatchingFilter.isEnabled(javax.servlet.ServletRequest, javax.servlet.ServletResponse, String, Object)

isLoginRequest

protected boolean isLoginRequest(ServletRequest request,
                                 ServletResponse response)

Returns true if the incoming request is a login request, false otherwise.

The default implementation merely returns true if the incoming request matches the configured loginUrl by calling pathsMatch(loginUrl, request).

Parameters:

request - the incoming ServletRequest

response - the outgoing ServletResponse

Returns:

true if the incoming request is a login request, false otherwise.

saveRequestAndRedirectToLogin

protected void saveRequestAndRedirectToLogin(ServletRequest request,
                                             ServletResponse response)
                                      throws IOException

Convenience method for subclasses to use when a login redirect is required.

This implementation simply calls saveRequest(request) and then redirectToLogin(request,response).

Parameters:

request - the incoming ServletRequest

response - the outgoing ServletResponse

Throws:

IOException - if an error occurs.

saveRequest

protected void saveRequest(ServletRequest request)

Convenience method merely delegates to WebUtils.saveRequest(request) to save the request state for reuse later. This is mostly used to retain user request state when a redirect is issued to return the user to their originally requested url/resource.

If you need to save and then immediately redirect the user to login, consider using saveRequestAndRedirectToLogin(request,response) directly.

Parameters:

request - the incoming ServletRequest to save for re-use later (for example, after a redirect).

redirectToLogin

protected void redirectToLogin(ServletRequest request,
                               ServletResponse response)
                        throws IOException

Convenience method for subclasses that merely acquires the getLoginUrl and redirects the request to that url.

N.B. If you want to issue a redirect with the intention of allowing the user to then return to their originally requested URL, don't use this method directly. Instead you should call saveRequestAndRedirectToLogin(request,response), which will save the current request state so that it can be reconstructed and re-used after a successful login.

Parameters:

request - the incoming ServletRequest

response - the outgoing ServletResponse

Throws:

IOException - if an error occurs.