Package org.apache.shiro.web.servlet
Class AbstractShiroFilter
- java.lang.Object
-
- org.apache.shiro.web.servlet.ServletContextSupport
-
- org.apache.shiro.web.servlet.AbstractFilter
-
- org.apache.shiro.web.servlet.NameableFilter
-
- org.apache.shiro.web.servlet.OncePerRequestFilter
-
- org.apache.shiro.web.servlet.AbstractShiroFilter
-
- Direct Known Subclasses:
GuiceShiroFilter
,IniShiroFilter
,ShiroFilter
public abstract class AbstractShiroFilter extends OncePerRequestFilter
Abstract base class that provides all standard Shiro request filtering behavior and expects subclasses to implement configuration-specific logic (INI, XML, .properties, etc). Subclasses should perform configuration and construction logic in an overriddeninit()
method implementation. That implementation should make available any constructedSecurityManager
andFilterChainResolver
by callingsetSecurityManager(org.apache.shiro.web.mgt.WebSecurityManager)
andsetFilterChainResolver(org.apache.shiro.web.filter.mgt.FilterChainResolver)
methods respectively.Static SecurityManager
By default theSecurityManager
instance enabled by this filter will not be enabled in static memory via theSecurityUtils.
setSecurityManager
method. Instead, it is expected that Subject instances will always be constructed on a request-processing thread via instances of this Filter class. However, if you need to constructSubject
instances on separate (non request-processing) threads, it might be easiest to enable the SecurityManager to be available in static memory via theSecurityUtils.getSecurityManager()
method. You can do this by additionally specifying aninit-param
:<filter> ... other config here ... <init-param> <param-name>staticSecurityManagerEnabled</param-name> <param-value>true</param-value> </init-param> </filter>
See the Shiro Subject documentation for more information as to if you would do this, particularly the sections on theSubject.Builder
and Thread Association.- Since:
- 1.0
- See Also:
- Subject documentation
-
-
Field Summary
-
Fields inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
ALREADY_FILTERED_SUFFIX
-
Fields inherited from class org.apache.shiro.web.servlet.AbstractFilter
filterConfig
-
-
Constructor Summary
Constructors Modifier Constructor Description protected
AbstractShiroFilter()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected WebSecurityManager
createDefaultSecurityManager()
protected WebSubject
createSubject(ServletRequest request, ServletResponse response)
Creates aWebSubject
instance to associate with the incoming request/response pair which will be used throughout the request/response execution.protected void
doFilterInternal(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain)
doFilterInternal
implementation that sets-up, executes, and cleans-up a Shiro-filtered request.protected void
executeChain(ServletRequest request, ServletResponse response, FilterChain origChain)
Executes aFilterChain
for the given request.protected FilterChain
getExecutionChain(ServletRequest request, ServletResponse response, FilterChain origChain)
Returns theFilterChain
to execute for the given request.FilterChainResolver
getFilterChainResolver()
WebSecurityManager
getSecurityManager()
void
init()
protected boolean
isHttpSessions()
boolean
isStaticSecurityManagerEnabled()
Returnstrue
if the constructedsecurityManager
reference should be bound to static memory (viaSecurityUtils.
setSecurityManager
),false
otherwise.protected void
onFilterConfigSet()
Template method to be overridden by subclasses to perform initialization logic at start-up.protected ServletRequest
prepareServletRequest(ServletRequest request, ServletResponse response, FilterChain chain)
Prepares theServletRequest
instance that will be passed to theFilterChain
for request processing.protected ServletResponse
prepareServletResponse(ServletRequest request, ServletResponse response, FilterChain chain)
Prepares theServletResponse
instance that will be passed to theFilterChain
for request processing.void
setFilterChainResolver(FilterChainResolver filterChainResolver)
void
setSecurityManager(WebSecurityManager sm)
void
setStaticSecurityManagerEnabled(boolean staticSecurityManagerEnabled)
Sets if the constructedsecurityManager
reference should be bound to static memory (viaSecurityUtils.
setSecurityManager
).protected void
updateSessionLastAccessTime(ServletRequest request, ServletResponse response)
Updates any 'native' Session's last access time that might exist to the timestamp when this method is called.protected ServletRequest
wrapServletRequest(HttpServletRequest orig)
Wraps the original HttpServletRequest in aShiroHttpServletRequest
, which is required for supporting Servlet Specification behavior backed by aSubject
instance.protected ServletResponse
wrapServletResponse(HttpServletResponse orig, ShiroHttpServletRequest request)
Returns a newShiroHttpServletResponse
instance, wrapping theorig
argument, in order to provide correct URL rewriting behavior required by the Servlet Specification when using Shiro-based sessions (and not Servlet Container HTTP-based sessions).-
Methods inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
doFilter, getAlreadyFilteredAttributeName, isEnabled, isEnabled, setEnabled, shouldNotFilter
-
Methods inherited from class org.apache.shiro.web.servlet.NameableFilter
getName, setName, toStringBuilder
-
Methods inherited from class org.apache.shiro.web.servlet.AbstractFilter
destroy, getFilterConfig, getInitParam, init, setFilterConfig
-
Methods inherited from class org.apache.shiro.web.servlet.ServletContextSupport
getContextAttribute, getContextInitParam, getServletContext, removeContextAttribute, setContextAttribute, setServletContext, toString
-
-
-
-
Constructor Detail
-
AbstractShiroFilter
protected AbstractShiroFilter()
-
-
Method Detail
-
getSecurityManager
public WebSecurityManager getSecurityManager()
-
setSecurityManager
public void setSecurityManager(WebSecurityManager sm)
-
getFilterChainResolver
public FilterChainResolver getFilterChainResolver()
-
setFilterChainResolver
public void setFilterChainResolver(FilterChainResolver filterChainResolver)
-
isStaticSecurityManagerEnabled
public boolean isStaticSecurityManagerEnabled()
Returnstrue
if the constructedsecurityManager
reference should be bound to static memory (viaSecurityUtils.
setSecurityManager
),false
otherwise. The default value isfalse
.- Returns:
true
if the constructedsecurityManager
reference should be bound to static memory (viaSecurityUtils.
setSecurityManager
),false
otherwise.- Since:
- 1.2
- See Also:
- SHIRO-287
-
setStaticSecurityManagerEnabled
public void setStaticSecurityManagerEnabled(boolean staticSecurityManagerEnabled)
Sets if the constructedsecurityManager
reference should be bound to static memory (viaSecurityUtils.
setSecurityManager
). The default value isfalse
.- Parameters:
staticSecurityManagerEnabled
- if the constructedsecurityManager
reference should be bound to static memory (viaSecurityUtils.
setSecurityManager
).- Since:
- 1.2
- See Also:
- SHIRO-287
-
onFilterConfigSet
protected final void onFilterConfigSet() throws Exception
Description copied from class:AbstractFilter
Template method to be overridden by subclasses to perform initialization logic at start-up. TheServletContext
andFilterConfig
will be accessible (and non-null
) at the time this method is invoked via thegetServletContext()
andgetFilterConfig()
methods respectively.init-param
values may be conveniently obtained via theAbstractFilter.getInitParam(String)
method.- Overrides:
onFilterConfigSet
in classAbstractFilter
- Throws:
Exception
- if the subclass has an error upon initialization.
-
createDefaultSecurityManager
protected WebSecurityManager createDefaultSecurityManager()
-
isHttpSessions
protected boolean isHttpSessions()
-
wrapServletRequest
protected ServletRequest wrapServletRequest(HttpServletRequest orig)
Wraps the original HttpServletRequest in aShiroHttpServletRequest
, which is required for supporting Servlet Specification behavior backed by aSubject
instance.- Parameters:
orig
- the original Servlet Container-provided incomingHttpServletRequest
instance.- Returns:
ShiroHttpServletRequest
instance wrapping the original.- Since:
- 1.0
-
prepareServletRequest
protected ServletRequest prepareServletRequest(ServletRequest request, ServletResponse response, FilterChain chain)
Prepares theServletRequest
instance that will be passed to theFilterChain
for request processing. If theServletRequest
is an instance ofHttpServletRequest
, the value returned from this method is obtained by callingwrapServletRequest(javax.servlet.http.HttpServletRequest)
to allow Shiro-specific HTTP behavior, otherwise the originalServletRequest
argument is returned.- Parameters:
request
- the incoming ServletRequestresponse
- the outgoing ServletResponsechain
- the Servlet Container providedFilterChain
that will receive the returned request.- Returns:
- the
ServletRequest
instance that will be passed to theFilterChain
for request processing. - Since:
- 1.0
-
wrapServletResponse
protected ServletResponse wrapServletResponse(HttpServletResponse orig, ShiroHttpServletRequest request)
Returns a newShiroHttpServletResponse
instance, wrapping theorig
argument, in order to provide correct URL rewriting behavior required by the Servlet Specification when using Shiro-based sessions (and not Servlet Container HTTP-based sessions).- Parameters:
orig
- the originalHttpServletResponse
instance provided by the Servlet Container.request
- theShiroHttpServletRequest
instance wrapping the original request.- Returns:
- the wrapped ServletResponse instance to use during
FilterChain
execution. - Since:
- 1.0
-
prepareServletResponse
protected ServletResponse prepareServletResponse(ServletRequest request, ServletResponse response, FilterChain chain)
Prepares theServletResponse
instance that will be passed to theFilterChain
for request processing. This implementation delegates towrapServletRequest(javax.servlet.http.HttpServletRequest)
only if Shiro-based sessions are enabled (that is, !isHttpSessions()
) and the request instance is aShiroHttpServletRequest
. This ensures that any URL rewriting that occurs is handled correctly using the Shiro-managed Session's sessionId and not a servlet container session ID. If HTTP-based sessions are enabled (the default), then this method does nothing and just returns theServletResponse
argument as-is, relying on the default Servlet Container URL rewriting logic.- Parameters:
request
- the incoming ServletRequestresponse
- the outgoing ServletResponsechain
- the Servlet Container providedFilterChain
that will receive the returned request.- Returns:
- the
ServletResponse
instance that will be passed to theFilterChain
during request processing. - Since:
- 1.0
-
createSubject
protected WebSubject createSubject(ServletRequest request, ServletResponse response)
Creates aWebSubject
instance to associate with the incoming request/response pair which will be used throughout the request/response execution.- Parameters:
request
- the incomingServletRequest
response
- the outgoingServletResponse
- Returns:
- the
WebSubject
instance to associate with the request/response execution - Since:
- 1.0
-
updateSessionLastAccessTime
protected void updateSessionLastAccessTime(ServletRequest request, ServletResponse response)
Updates any 'native' Session's last access time that might exist to the timestamp when this method is called. If native sessions are not enabled (that is, standard Servlet container sessions are being used) or there is no session (subject.getSession(false) == null
), this method does nothing. This method implementation merely callsSession.
on the session.touch
()- Parameters:
request
- incoming request - ignored, but available to subclasses that might wish to override this methodresponse
- outgoing response - ignored, but available to subclasses that might wish to override this method- Since:
- 1.0
-
doFilterInternal
protected void doFilterInternal(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain) throws ServletException, IOException
doFilterInternal
implementation that sets-up, executes, and cleans-up a Shiro-filtered request. It performs the following ordered operations:Prepares
the incomingServletRequest
for use during Shiro's processingPrepares
the outgoingServletResponse
for use during Shiro's processing-
Creates
aSubject
instance based on the specified request/response pair. - Finally
executes
theupdateSessionLastAccessTime(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
andexecuteChain(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
methods
Subject.
execute(Runnable)
call in step #4 is used as an implementation technique to guarantee proper thread binding and restoration is completed successfully.- Specified by:
doFilterInternal
in classOncePerRequestFilter
- Parameters:
servletRequest
- the incomingServletRequest
servletResponse
- the outgoingServletResponse
chain
- the container-providedFilterChain
to execute- Throws:
IOException
- if an IO error occursServletException
- if an Throwable other than an IOException
-
getExecutionChain
protected FilterChain getExecutionChain(ServletRequest request, ServletResponse response, FilterChain origChain)
Returns theFilterChain
to execute for the given request. TheorigChain
argument is the originalFilterChain
supplied by the Servlet Container, but it may be modified to provide more behavior by pre-pending further chains according to the Shiro configuration. This implementation returns the chain that will actually be executed by acquiring the chain from afilterChainResolver
. The resolver determines exactly which chain to execute, typically based on URL configuration. If no chain is returned from the resolver call (returnsnull
), then theorigChain
will be returned by default.- Parameters:
request
- the incoming ServletRequestresponse
- the outgoing ServletResponseorigChain
- the originalFilterChain
provided by the Servlet Container- Returns:
- the
FilterChain
to execute for the given request - Since:
- 1.0
-
executeChain
protected void executeChain(ServletRequest request, ServletResponse response, FilterChain origChain) throws IOException, ServletException
Executes aFilterChain
for the given request. This implementation first delegates to
to allow the application's Shiro configuration to determine exactly how the chain should execute. The resulting value from that call is then executed directly by calling the returnedgetExecutionChain
FilterChain
'sdoFilter
method. That is:FilterChain chain =
getExecutionChain(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
(request, response, origChain); chain.doFilter
(request,response);- Parameters:
request
- the incoming ServletRequestresponse
- the outgoing ServletResponseorigChain
- the Servlet Container-provided chain that may be wrapped further by an application-configured chain of Filters.- Throws:
IOException
- if the underlyingchain.doFilter
call results in an IOExceptionServletException
- if the underlyingchain.doFilter
call results in a ServletException- Since:
- 1.0
-
-