public abstract class AuthorizationFilter extends AccessControlFilter
onAccessDenied
method, which
provides reasonable handling for most applications.onAccessDenied(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
DEFAULT_LOGIN_URL, GET_METHOD, POST_METHOD
appliedPaths, pathMatcher
ALREADY_FILTERED_SUFFIX
filterConfig
Constructor and Description |
---|
AuthorizationFilter() |
Modifier and Type | Method and Description |
---|---|
String |
getUnauthorizedUrl()
Returns the URL to which users should be redirected if they are denied access to an underlying path or resource,
or
null if a raw HttpServletResponse.SC_UNAUTHORIZED response should be issued (401 Unauthorized). |
protected boolean |
onAccessDenied(ServletRequest request,
ServletResponse response)
Handles the response when access has been denied.
|
void |
setUnauthorizedUrl(String unauthorizedUrl)
Sets the URL to which users should be redirected if they are denied access to an underlying path or resource.
|
getLoginUrl, getSubject, isAccessAllowed, isLoginRequest, onAccessDenied, onPreHandle, redirectToLogin, saveRequest, saveRequestAndRedirectToLogin, setLoginUrl
getPathWithinApplication, isEnabled, pathsMatch, pathsMatch, preHandle, processPathConfig
afterCompletion, cleanup, doFilterInternal, executeChain, postHandle
doFilter, getAlreadyFilteredAttributeName, isEnabled, isEnabled, setEnabled, shouldNotFilter
getName, setName, toStringBuilder
destroy, getFilterConfig, getInitParam, init, onFilterConfigSet, setFilterConfig
getContextAttribute, getContextInitParam, getServletContext, removeContextAttribute, setContextAttribute, setServletContext, toString
public AuthorizationFilter()
public String getUnauthorizedUrl()
null
if a raw HttpServletResponse.SC_UNAUTHORIZED
response should be issued (401 Unauthorized).
The default is null
, ensuring default web server behavior. Override this default by calling the
setUnauthorizedUrl
method with a meaningful path within your application
if you would like to show the user a 'nice' page in the event of unauthorized access.null
if a raw HttpServletResponse.SC_UNAUTHORIZED
response should be issued (401 Unauthorized).public void setUnauthorizedUrl(String unauthorizedUrl)
null
a raw HttpServletResponse.SC_UNAUTHORIZED
response will
be issued (401 Unauthorized), retaining default web server behavior.
Unless overridden by calling this method, the default value is null
. If desired, you can specify a
meaningful path within your application if you would like to show the user a 'nice' page in the event of
unauthorized access.unauthorizedUrl
- the URL to which users should be redirected if they are denied access to an underlying
path or resource, or null
to a ensure raw HttpServletResponse.SC_UNAUTHORIZED
response is
issued (401 Unauthorized).protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws IOException
Subject
is unknown[1]:
AccessControlFilter.saveRequestAndRedirectToLogin(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
method).HttpServletResponse.SC_UNAUTHORIZED
header will be set (401 Unauthorized)unauthorizedUrl
has been configured, a redirect will be issued to that
URL. Otherwise the 401 response is rendered normally[1]
: A Subject
is 'known' when
subject.getPrincipal()
is not null
,
which implicitly means that the subject is either currently authenticated or they have been remembered via
'remember me' services.onAccessDenied
in class AccessControlFilter
request
- the incoming ServletRequest
response
- the outgoing ServletResponse
false
always for this implementation.IOException
- if there is any servlet error.Copyright © 2004–2020 The Apache Software Foundation. All rights reserved.