public abstract class AbstractShiroFilter extends OncePerRequestFilter
init()
method implementation. That implementation should make available any constructed
SecurityManager
and FilterChainResolver
by calling
setSecurityManager(org.apache.shiro.web.mgt.WebSecurityManager)
and
setFilterChainResolver(org.apache.shiro.web.filter.mgt.FilterChainResolver)
methods respectively.
SecurityManager
instance enabled by this filter will not be enabled in static
memory via the SecurityUtils.
setSecurityManager
method. Instead, it is expected that Subject instances will always be constructed on a request-processing thread
via instances of this Filter class.
However, if you need to construct Subject
instances on separate (non request-processing) threads, it might
be easiest to enable the SecurityManager to be available in static memory via the
SecurityUtils.getSecurityManager()
method. You can do this by additionally specifying an init-param
:
<filter> ... other config here ... <init-param> <param-name>staticSecurityManagerEnabled</param-name> <param-value>true</param-value> </init-param> </filter>See the Shiro Subject documentation for more information as to if you would do this, particularly the sections on the
Subject.Builder
and Thread Association.ALREADY_FILTERED_SUFFIX
filterConfig
Modifier | Constructor and Description |
---|---|
protected |
AbstractShiroFilter() |
Modifier and Type | Method and Description |
---|---|
protected WebSecurityManager |
createDefaultSecurityManager() |
protected WebSubject |
createSubject(javax.servlet.ServletRequest request,
javax.servlet.ServletResponse response)
Creates a
WebSubject instance to associate with the incoming request/response pair which will be used
throughout the request/response execution. |
protected void |
doFilterInternal(javax.servlet.ServletRequest servletRequest,
javax.servlet.ServletResponse servletResponse,
javax.servlet.FilterChain chain)
doFilterInternal implementation that sets-up, executes, and cleans-up a Shiro-filtered request. |
protected void |
executeChain(javax.servlet.ServletRequest request,
javax.servlet.ServletResponse response,
javax.servlet.FilterChain origChain)
Executes a
FilterChain for the given request. |
protected javax.servlet.FilterChain |
getExecutionChain(javax.servlet.ServletRequest request,
javax.servlet.ServletResponse response,
javax.servlet.FilterChain origChain)
Returns the
FilterChain to execute for the given request. |
FilterChainResolver |
getFilterChainResolver() |
WebSecurityManager |
getSecurityManager() |
void |
init() |
protected boolean |
isHttpSessions() |
boolean |
isStaticSecurityManagerEnabled()
Returns
true if the constructed securityManager reference should be bound
to static memory (via
SecurityUtils. |
protected void |
onFilterConfigSet()
Template method to be overridden by subclasses to perform initialization logic at start-up.
|
protected javax.servlet.ServletRequest |
prepareServletRequest(javax.servlet.ServletRequest request,
javax.servlet.ServletResponse response,
javax.servlet.FilterChain chain)
Prepares the
ServletRequest instance that will be passed to the FilterChain for request
processing. |
protected javax.servlet.ServletResponse |
prepareServletResponse(javax.servlet.ServletRequest request,
javax.servlet.ServletResponse response,
javax.servlet.FilterChain chain)
Prepares the
ServletResponse instance that will be passed to the FilterChain for request
processing. |
void |
setFilterChainResolver(FilterChainResolver filterChainResolver) |
void |
setSecurityManager(WebSecurityManager sm) |
void |
setStaticSecurityManagerEnabled(boolean staticSecurityManagerEnabled)
Sets if the constructed
securityManager reference should be bound
to static memory (via SecurityUtils. |
protected void |
updateSessionLastAccessTime(javax.servlet.ServletRequest request,
javax.servlet.ServletResponse response)
Updates any 'native' Session's last access time that might exist to the timestamp when this method is called.
|
protected javax.servlet.ServletRequest |
wrapServletRequest(javax.servlet.http.HttpServletRequest orig)
Wraps the original HttpServletRequest in a
ShiroHttpServletRequest , which is required for supporting
Servlet Specification behavior backed by a Subject instance. |
protected javax.servlet.ServletResponse |
wrapServletResponse(javax.servlet.http.HttpServletResponse orig,
ShiroHttpServletRequest request)
Returns a new
ShiroHttpServletResponse instance, wrapping the orig argument, in order to provide
correct URL rewriting behavior required by the Servlet Specification when using Shiro-based sessions (and not
Servlet Container HTTP-based sessions). |
doFilter, getAlreadyFilteredAttributeName, isEnabled, isEnabled, setEnabled, shouldNotFilter
getName, setName, toStringBuilder
destroy, getFilterConfig, getInitParam, init, setFilterConfig
getContextAttribute, getContextInitParam, getServletContext, removeContextAttribute, setContextAttribute, setServletContext, toString
protected AbstractShiroFilter()
public WebSecurityManager getSecurityManager()
public void setSecurityManager(WebSecurityManager sm)
public FilterChainResolver getFilterChainResolver()
public void setFilterChainResolver(FilterChainResolver filterChainResolver)
public boolean isStaticSecurityManagerEnabled()
true
if the constructed securityManager
reference should be bound
to static memory (via
SecurityUtils.
setSecurityManager
),
false
otherwise.
The default value is false
.
true
if the constructed securityManager
reference should be bound
to static memory (via SecurityUtils.
setSecurityManager
),
false
otherwise.public void setStaticSecurityManagerEnabled(boolean staticSecurityManagerEnabled)
securityManager
reference should be bound
to static memory (via SecurityUtils.
setSecurityManager
).
The default value is false
.staticSecurityManagerEnabled
- if the constructed securityManager
reference
should be bound to static memory (via
SecurityUtils.
setSecurityManager
).protected final void onFilterConfigSet() throws Exception
AbstractFilter
ServletContext
and FilterConfig
will be accessible
(and non-null
) at the time this method is invoked via the
getServletContext()
and getFilterConfig()
methods respectively.
init-param
values may be conveniently obtained via the AbstractFilter.getInitParam(String)
method.onFilterConfigSet
in class AbstractFilter
Exception
- if the subclass has an error upon initialization.protected WebSecurityManager createDefaultSecurityManager()
protected boolean isHttpSessions()
protected javax.servlet.ServletRequest wrapServletRequest(javax.servlet.http.HttpServletRequest orig)
ShiroHttpServletRequest
, which is required for supporting
Servlet Specification behavior backed by a Subject
instance.orig
- the original Servlet Container-provided incoming HttpServletRequest
instance.ShiroHttpServletRequest
instance wrapping the original.protected javax.servlet.ServletRequest prepareServletRequest(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)
ServletRequest
instance that will be passed to the FilterChain
for request
processing.
If the ServletRequest
is an instance of HttpServletRequest
, the value returned from this method
is obtained by calling wrapServletRequest(javax.servlet.http.HttpServletRequest)
to allow Shiro-specific
HTTP behavior, otherwise the original ServletRequest
argument is returned.request
- the incoming ServletRequestresponse
- the outgoing ServletResponsechain
- the Servlet Container provided FilterChain
that will receive the returned request.ServletRequest
instance that will be passed to the FilterChain
for request processing.protected javax.servlet.ServletResponse wrapServletResponse(javax.servlet.http.HttpServletResponse orig, ShiroHttpServletRequest request)
ShiroHttpServletResponse
instance, wrapping the orig
argument, in order to provide
correct URL rewriting behavior required by the Servlet Specification when using Shiro-based sessions (and not
Servlet Container HTTP-based sessions).orig
- the original HttpServletResponse
instance provided by the Servlet Container.request
- the ShiroHttpServletRequest
instance wrapping the original request.FilterChain
execution.protected javax.servlet.ServletResponse prepareServletResponse(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)
ServletResponse
instance that will be passed to the FilterChain
for request
processing.
This implementation delegates to wrapServletRequest(javax.servlet.http.HttpServletRequest)
only if Shiro-based sessions are enabled (that is, !isHttpSessions()
) and the request instance is a
ShiroHttpServletRequest
. This ensures that any URL rewriting that occurs is handled correctly using the
Shiro-managed Session's sessionId and not a servlet container session ID.
If HTTP-based sessions are enabled (the default), then this method does nothing and just returns the
ServletResponse
argument as-is, relying on the default Servlet Container URL rewriting logic.request
- the incoming ServletRequestresponse
- the outgoing ServletResponsechain
- the Servlet Container provided FilterChain
that will receive the returned request.ServletResponse
instance that will be passed to the FilterChain
during request processing.protected WebSubject createSubject(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response)
WebSubject
instance to associate with the incoming request/response pair which will be used
throughout the request/response execution.request
- the incoming ServletRequest
response
- the outgoing ServletResponse
WebSubject
instance to associate with the request/response executionprotected void updateSessionLastAccessTime(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response)
subject.getSession(false) == null
), this method does nothing.
This method implementation merely calls
Session.touch
()
on the session.request
- incoming request - ignored, but available to subclasses that might wish to override this methodresponse
- outgoing response - ignored, but available to subclasses that might wish to override this methodprotected void doFilterInternal(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain chain) throws javax.servlet.ServletException, IOException
doFilterInternal
implementation that sets-up, executes, and cleans-up a Shiro-filtered request. It
performs the following ordered operations:
Prepares
the incoming ServletRequest
for use during Shiro's processingPrepares
the outgoing ServletResponse
for use during Shiro's processingCreates
a
Subject
instance based on the specified request/response pair.executes
the
updateSessionLastAccessTime(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
and
executeChain(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
methodsSubject.
execute(Runnable)
call in step #4 is used as an
implementation technique to guarantee proper thread binding and restoration is completed successfully.doFilterInternal
in class OncePerRequestFilter
servletRequest
- the incoming ServletRequest
servletResponse
- the outgoing ServletResponse
chain
- the container-provided FilterChain
to executeIOException
- if an IO error occursjavax.servlet.ServletException
- if an Throwable other than an IOExceptionprotected javax.servlet.FilterChain getExecutionChain(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain origChain)
FilterChain
to execute for the given request.
The origChain
argument is the
original FilterChain
supplied by the Servlet Container, but it may be modified to provide
more behavior by pre-pending further chains according to the Shiro configuration.
This implementation returns the chain that will actually be executed by acquiring the chain from a
filterChainResolver
. The resolver determines exactly which chain to
execute, typically based on URL configuration. If no chain is returned from the resolver call
(returns null
), then the origChain
will be returned by default.request
- the incoming ServletRequestresponse
- the outgoing ServletResponseorigChain
- the original FilterChain
provided by the Servlet ContainerFilterChain
to execute for the given requestprotected void executeChain(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain origChain) throws IOException, javax.servlet.ServletException
FilterChain
for the given request.
This implementation first delegates to
getExecutionChain
to allow the application's Shiro configuration to determine exactly how the chain should execute. The resulting
value from that call is then executed directly by calling the returned FilterChain
's
doFilter
method. That is:
FilterChain chain =getExecutionChain(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
(request, response, origChain); chain.doFilter
(request,response);
request
- the incoming ServletRequestresponse
- the outgoing ServletResponseorigChain
- the Servlet Container-provided chain that may be wrapped further by an application-configured
chain of Filters.IOException
- if the underlying chain.doFilter
call results in an IOExceptionjavax.servlet.ServletException
- if the underlying chain.doFilter
call results in a ServletExceptionCopyright © 2004–2019 The Apache Software Foundation. All rights reserved.