|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Objectorg.apache.shiro.web.servlet.ServletContextSupport
org.apache.shiro.web.servlet.AbstractFilter
org.apache.shiro.web.servlet.NameableFilter
org.apache.shiro.web.servlet.OncePerRequestFilter
org.apache.shiro.web.servlet.AbstractShiroFilter
public abstract class AbstractShiroFilter
Abstract base class that provides all standard Shiro request filtering behavior and expects subclasses to implement configuration-specific logic (INI, XML, .properties, etc).
Subclasses should perform configuration and construction logic in an overriddeninit()
method implementation. That implementation should make available any constructed
SecurityManager
and FilterChainResolver
by calling
setSecurityManager(org.apache.shiro.web.mgt.WebSecurityManager)
and
setFilterChainResolver(org.apache.shiro.web.filter.mgt.FilterChainResolver)
methods respectively.
SecurityManager
instance enabled by this filter will not be enabled in static
memory via the SecurityUtils.
setSecurityManager
method. Instead, it is expected that Subject instances will always be constructed on a request-processing thread
via instances of this Filter class.
However, if you need to construct Subject
instances on separate (non request-processing) threads, it might
be easiest to enable the SecurityManager to be available in static memory via the
SecurityUtils.getSecurityManager()
method. You can do this by additionally specifying an init-param
:
<filter> ... other config here ... <init-param> <param-name>staticSecurityManagerEnabled</param-name> <param-value>true</param-value> </init-param> </filter>See the Shiro Subject documentation for more information as to if you would do this, particularly the sections on the
Subject.Builder
and Thread Association.
Field Summary |
---|
Fields inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter |
---|
ALREADY_FILTERED_SUFFIX |
Fields inherited from class org.apache.shiro.web.servlet.AbstractFilter |
---|
filterConfig |
Constructor Summary | |
---|---|
protected |
AbstractShiroFilter()
|
Method Summary | |
---|---|
protected WebSecurityManager |
createDefaultSecurityManager()
|
protected WebSubject |
createSubject(ServletRequest request,
ServletResponse response)
Creates a WebSubject instance to associate with the incoming request/response pair which will be used
throughout the request/response execution. |
protected void |
doFilterInternal(ServletRequest servletRequest,
ServletResponse servletResponse,
FilterChain chain)
doFilterInternal implementation that sets-up, executes, and cleans-up a Shiro-filtered request. |
protected void |
executeChain(ServletRequest request,
ServletResponse response,
FilterChain origChain)
Executes a FilterChain for the given request. |
protected FilterChain |
getExecutionChain(ServletRequest request,
ServletResponse response,
FilterChain origChain)
Returns the FilterChain to execute for the given request. |
FilterChainResolver |
getFilterChainResolver()
|
WebSecurityManager |
getSecurityManager()
|
void |
init()
|
protected boolean |
isHttpSessions()
|
boolean |
isStaticSecurityManagerEnabled()
Returns true if the constructed securityManager reference should be bound
to static memory (via
SecurityUtils. setSecurityManager ),
false otherwise. |
protected void |
onFilterConfigSet()
Template method to be overridden by subclasses to perform initialization logic at start-up. |
protected ServletRequest |
prepareServletRequest(ServletRequest request,
ServletResponse response,
FilterChain chain)
Prepares the ServletRequest instance that will be passed to the FilterChain for request
processing. |
protected ServletResponse |
prepareServletResponse(ServletRequest request,
ServletResponse response,
FilterChain chain)
Prepares the ServletResponse instance that will be passed to the FilterChain for request
processing. |
void |
setFilterChainResolver(FilterChainResolver filterChainResolver)
|
void |
setSecurityManager(WebSecurityManager sm)
|
void |
setStaticSecurityManagerEnabled(boolean staticSecurityManagerEnabled)
Sets if the constructed securityManager reference should be bound
to static memory (via SecurityUtils. setSecurityManager ). |
protected void |
updateSessionLastAccessTime(ServletRequest request,
ServletResponse response)
Updates any 'native' Session's last access time that might exist to the timestamp when this method is called. |
protected ServletRequest |
wrapServletRequest(HttpServletRequest orig)
Wraps the original HttpServletRequest in a ShiroHttpServletRequest , which is required for supporting
Servlet Specification behavior backed by a Subject instance. |
protected ServletResponse |
wrapServletResponse(HttpServletResponse orig,
ShiroHttpServletRequest request)
Returns a new ShiroHttpServletResponse instance, wrapping the orig argument, in order to provide
correct URL rewriting behavior required by the Servlet Specification when using Shiro-based sessions (and not
Servlet Container HTTP-based sessions). |
Methods inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter |
---|
doFilter, getAlreadyFilteredAttributeName, isEnabled, isEnabled, setEnabled, shouldNotFilter |
Methods inherited from class org.apache.shiro.web.servlet.NameableFilter |
---|
getName, setName, toStringBuilder |
Methods inherited from class org.apache.shiro.web.servlet.AbstractFilter |
---|
destroy, getFilterConfig, getInitParam, init, setFilterConfig |
Methods inherited from class org.apache.shiro.web.servlet.ServletContextSupport |
---|
getContextAttribute, getContextInitParam, getServletContext, removeContextAttribute, setContextAttribute, setServletContext, toString |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait |
Constructor Detail |
---|
protected AbstractShiroFilter()
Method Detail |
---|
public WebSecurityManager getSecurityManager()
public void setSecurityManager(WebSecurityManager sm)
public FilterChainResolver getFilterChainResolver()
public void setFilterChainResolver(FilterChainResolver filterChainResolver)
public boolean isStaticSecurityManagerEnabled()
true
if the constructed securityManager
reference should be bound
to static memory (via
SecurityUtils.
setSecurityManager
),
false
otherwise.
The default value is false
.
true
if the constructed securityManager
reference should be bound
to static memory (via SecurityUtils.
setSecurityManager
),
false
otherwise.public void setStaticSecurityManagerEnabled(boolean staticSecurityManagerEnabled)
securityManager
reference should be bound
to static memory (via SecurityUtils.
setSecurityManager
).
The default value is false
.
staticSecurityManagerEnabled
- if the constructed securityManager
reference
should be bound to static memory (via
SecurityUtils.
setSecurityManager
).protected final void onFilterConfigSet() throws Exception
AbstractFilter
ServletContext
and FilterConfig
will be accessible
(and non-null
) at the time this method is invoked via the
getServletContext()
and getFilterConfig()
methods respectively.
init-param
values may be conveniently obtained via the AbstractFilter.getInitParam(String)
method.
onFilterConfigSet
in class AbstractFilter
Exception
- if the subclass has an error upon initialization.public void init() throws Exception
Exception
protected WebSecurityManager createDefaultSecurityManager()
protected boolean isHttpSessions()
protected ServletRequest wrapServletRequest(HttpServletRequest orig)
ShiroHttpServletRequest
, which is required for supporting
Servlet Specification behavior backed by a Subject
instance.
orig
- the original Servlet Container-provided incoming HttpServletRequest
instance.
ShiroHttpServletRequest
instance wrapping the original.protected ServletRequest prepareServletRequest(ServletRequest request, ServletResponse response, FilterChain chain)
ServletRequest
instance that will be passed to the FilterChain
for request
processing.
If the ServletRequest
is an instance of HttpServletRequest
, the value returned from this method
is obtained by calling wrapServletRequest(javax.servlet.http.HttpServletRequest)
to allow Shiro-specific
HTTP behavior, otherwise the original ServletRequest
argument is returned.
request
- the incoming ServletRequestresponse
- the outgoing ServletResponsechain
- the Servlet Container provided FilterChain
that will receive the returned request.
ServletRequest
instance that will be passed to the FilterChain
for request processing.protected ServletResponse wrapServletResponse(HttpServletResponse orig, ShiroHttpServletRequest request)
ShiroHttpServletResponse
instance, wrapping the orig
argument, in order to provide
correct URL rewriting behavior required by the Servlet Specification when using Shiro-based sessions (and not
Servlet Container HTTP-based sessions).
orig
- the original HttpServletResponse
instance provided by the Servlet Container.request
- the ShiroHttpServletRequest
instance wrapping the original request.
FilterChain
execution.protected ServletResponse prepareServletResponse(ServletRequest request, ServletResponse response, FilterChain chain)
ServletResponse
instance that will be passed to the FilterChain
for request
processing.
This implementation delegates to wrapServletRequest(javax.servlet.http.HttpServletRequest)
only if Shiro-based sessions are enabled (that is, !isHttpSessions()
) and the request instance is a
ShiroHttpServletRequest
. This ensures that any URL rewriting that occurs is handled correctly using the
Shiro-managed Session's sessionId and not a servlet container session ID.
If HTTP-based sessions are enabled (the default), then this method does nothing and just returns the
ServletResponse
argument as-is, relying on the default Servlet Container URL rewriting logic.
request
- the incoming ServletRequestresponse
- the outgoing ServletResponsechain
- the Servlet Container provided FilterChain
that will receive the returned request.
ServletResponse
instance that will be passed to the FilterChain
during request processing.protected WebSubject createSubject(ServletRequest request, ServletResponse response)
WebSubject
instance to associate with the incoming request/response pair which will be used
throughout the request/response execution.
request
- the incoming ServletRequest
response
- the outgoing ServletResponse
WebSubject
instance to associate with the request/response executionprotected void updateSessionLastAccessTime(ServletRequest request, ServletResponse response)
subject.getSession(false) == null
), this method does nothing.
This method implementation merely calls
Session.touch
()
on the session.
request
- incoming request - ignored, but available to subclasses that might wish to override this methodresponse
- outgoing response - ignored, but available to subclasses that might wish to override this methodprotected void doFilterInternal(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain) throws ServletException, IOException
doFilterInternal
implementation that sets-up, executes, and cleans-up a Shiro-filtered request. It
performs the following ordered operations:
Prepares
the incoming ServletRequest
for use during Shiro's processingPrepares
the outgoing ServletResponse
for use during Shiro's processingCreates
a
Subject
instance based on the specified request/response pair.executes
the
updateSessionLastAccessTime(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
and
executeChain(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
methodsSubject.
execute(Runnable)
call in step #4 is used as an
implementation technique to guarantee proper thread binding and restoration is completed successfully.
doFilterInternal
in class OncePerRequestFilter
servletRequest
- the incoming ServletRequest
servletResponse
- the outgoing ServletResponse
chain
- the container-provided FilterChain
to execute
IOException
- if an IO error occurs
ServletException
- if an Throwable other than an IOExceptionprotected FilterChain getExecutionChain(ServletRequest request, ServletResponse response, FilterChain origChain)
FilterChain
to execute for the given request.
The origChain
argument is the
original FilterChain
supplied by the Servlet Container, but it may be modified to provide
more behavior by pre-pending further chains according to the Shiro configuration.
This implementation returns the chain that will actually be executed by acquiring the chain from a
filterChainResolver
. The resolver determines exactly which chain to
execute, typically based on URL configuration. If no chain is returned from the resolver call
(returns null
), then the origChain
will be returned by default.
request
- the incoming ServletRequestresponse
- the outgoing ServletResponseorigChain
- the original FilterChain
provided by the Servlet Container
FilterChain
to execute for the given requestprotected void executeChain(ServletRequest request, ServletResponse response, FilterChain origChain) throws IOException, ServletException
FilterChain
for the given request.
This implementation first delegates to
getExecutionChain
to allow the application's Shiro configuration to determine exactly how the chain should execute. The resulting
value from that call is then executed directly by calling the returned FilterChain
's
doFilter
method. That is:
FilterChain chain =getExecutionChain(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
(request, response, origChain); chain.doFilter
(request,response);
request
- the incoming ServletRequestresponse
- the outgoing ServletResponseorigChain
- the Servlet Container-provided chain that may be wrapped further by an application-configured
chain of Filters.
IOException
- if the underlying chain.doFilter
call results in an IOException
ServletException
- if the underlying chain.doFilter
call results in a ServletException
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |