org.apache.shiro.web.filter.authz
Class AuthorizationFilter
java.lang.Object
org.apache.shiro.web.servlet.ServletContextSupport
org.apache.shiro.web.servlet.AbstractFilter
org.apache.shiro.web.servlet.NameableFilter
org.apache.shiro.web.servlet.OncePerRequestFilter
org.apache.shiro.web.servlet.AdviceFilter
org.apache.shiro.web.filter.PathMatchingFilter
org.apache.shiro.web.filter.AccessControlFilter
org.apache.shiro.web.filter.authz.AuthorizationFilter
- All Implemented Interfaces:
- Filter, Nameable, PathConfigProcessor
- Direct Known Subclasses:
- HostFilter, PermissionsAuthorizationFilter, PortFilter, RolesAuthorizationFilter
public abstract class AuthorizationFilter
- extends AccessControlFilter
Superclass for authorization-related filters. If an request is unauthorized, response handling is delegated to the
onAccessDenied
method, which
provides reasonable handling for most applications.
- Since:
- 0.9
- See Also:
onAccessDenied(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
AuthorizationFilter
public AuthorizationFilter()
getUnauthorizedUrl
public String getUnauthorizedUrl()
- Returns the URL to which users should be redirected if they are denied access to an underlying path or resource,
or
null
if a raw HttpServletResponse.SC_UNAUTHORIZED
response should be issued (401 Unauthorized).
The default is null
, ensuring default web server behavior. Override this default by calling the
setUnauthorizedUrl
method with a meaningful path within your application
if you would like to show the user a 'nice' page in the event of unauthorized access.
- Returns:
- the URL to which users should be redirected if they are denied access to an underlying path or resource,
or
null
if a raw HttpServletResponse.SC_UNAUTHORIZED
response should be issued (401 Unauthorized).
setUnauthorizedUrl
public void setUnauthorizedUrl(String unauthorizedUrl)
- Sets the URL to which users should be redirected if they are denied access to an underlying path or resource.
If the value is
null
a raw HttpServletResponse.SC_UNAUTHORIZED
response will
be issued (401 Unauthorized), retaining default web server behavior.
Unless overridden by calling this method, the default value is null
. If desired, you can specify a
meaningful path within your application if you would like to show the user a 'nice' page in the event of
unauthorized access.
- Parameters:
unauthorizedUrl
- the URL to which users should be redirected if they are denied access to an underlying
path or resource, or null
to a ensure raw HttpServletResponse.SC_UNAUTHORIZED
response is
issued (401 Unauthorized).
onAccessDenied
protected boolean onAccessDenied(ServletRequest request,
ServletResponse response)
throws IOException
- Handles the response when access has been denied. It behaves as follows:
[1]
: A Subject
is 'known' when
subject.getPrincipal()
is not null
,
which implicitly means that the subject is either currently authenticated or they have been remembered via
'remember me' services.
- Specified by:
onAccessDenied
in class AccessControlFilter
- Parameters:
request
- the incoming ServletRequest
response
- the outgoing ServletResponse
- Returns:
false
always for this implementation.
- Throws:
IOException
- if there is any servlet error.
Copyright © 2004-2016 The Apache Software Foundation. All Rights Reserved.