AuthorizationFilter (Tapestry Security 0.4.0 API)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.tynamo.security.shiro.authz
Class AuthorizationFilter

java.lang.Object
  org.apache.shiro.web.servlet.ServletContextSupport
      org.apache.shiro.web.servlet.AbstractFilter
          org.apache.shiro.web.servlet.NameableFilter
              org.apache.shiro.web.servlet.OncePerRequestFilter
                  org.apache.shiro.web.servlet.AdviceFilter
                      org.tynamo.security.shiro.AccessControlFilter
                          org.tynamo.security.shiro.authz.AuthorizationFilter

All Implemented Interfaces:: javax.servlet.Filter, org.apache.shiro.util.Nameable

Direct Known Subclasses:: PermissionsAuthorizationFilter, RolesAuthorizationFilter

public abstract class AuthorizationFilter
extends AccessControlFilter
extends AccessControlFilter

Superclass for authorization-related filters. If an request is unauthorized, response handling is delegated to the onAccessDenied method, which provides reasonable handling for most applications.

Since:: 0.4.0
See Also:: onAccessDenied(javax.servlet.ServletRequest, javax.servlet.ServletResponse)

Field Summary

Fields inherited from class org.tynamo.security.shiro.AccessControlFilter
`GET_METHOD, LOGIN_URL, pathMatcher, POST_METHOD, SUCCESS_URL, UNAUTHORIZED_URL`

Fields inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
`ALREADY_FILTERED_SUFFIX`

Fields inherited from class org.apache.shiro.web.servlet.AbstractFilter
`filterConfig`

Constructor Summary
`AuthorizationFilter()`

Method Summary
`String`	`getUnauthorizedUrl()` Returns the URL to which users should be redirected if they are denied access to an underlying path or resource, or `null` if a raw `HttpServletResponse.SC_UNAUTHORIZED` response should be issued (401 Unauthorized).
`protected boolean`	`onAccessDenied(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response)` Handles the response when access has been denied.
`void`	`setUnauthorizedUrl(String unauthorizedUrl)` Sets the URL to which users should be redirected if they are denied access to an underlying path or resource.

Methods inherited from class org.tynamo.security.shiro.AccessControlFilter
`addConfig, getLoginUrl, getSubject, getSuccessUrl, isAccessAllowed, isLoginRequest, onAccessDenied, onPreHandle, preHandle, redirectToLogin, saveRequest, saveRequestAndRedirectToLogin, setConfig, setLoginUrl, setSuccessUrl`

Methods inherited from class org.apache.shiro.web.servlet.AdviceFilter
`afterCompletion, cleanup, doFilterInternal, executeChain, postHandle`

Methods inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
`doFilter, getAlreadyFilteredAttributeName, shouldNotFilter`

Methods inherited from class org.apache.shiro.web.servlet.NameableFilter
`getName, setName, toStringBuilder`

Methods inherited from class org.apache.shiro.web.servlet.AbstractFilter
`destroy, getFilterConfig, getInitParam, init, onFilterConfigSet, setFilterConfig`

Methods inherited from class org.apache.shiro.web.servlet.ServletContextSupport
`getContextAttribute, getContextInitParam, getServletContext, removeContextAttribute, setContextAttribute, setServletContext, toString`

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait`

Constructor Detail

AuthorizationFilter

public AuthorizationFilter()

Method Detail

getUnauthorizedUrl

public String getUnauthorizedUrl()

Returns the URL to which users should be redirected if they are denied access to an underlying path or resource, or null if a raw HttpServletResponse.SC_UNAUTHORIZED response should be issued (401 Unauthorized).

The default is null, ensuring default web server behavior. Override this default by calling the setUnauthorizedUrl method with a meaningful path within your application if you would like to show the user a 'nice' page in the event of unauthorized access.

Overrides:: getUnauthorizedUrl in class AccessControlFilter

Returns:: the URL to which users should be redirected if they are denied access to an underlying path or resource, or null if a raw HttpServletResponse.SC_UNAUTHORIZED response should be issued (401 Unauthorized).

setUnauthorizedUrl

public void setUnauthorizedUrl(String unauthorizedUrl)

Sets the URL to which users should be redirected if they are denied access to an underlying path or resource.

If the value is null a raw HttpServletResponse.SC_UNAUTHORIZED response will be issued (401 Unauthorized), retaining default web server behavior.

Unless overridden by calling this method, the default value is null. If desired, you can specify a meaningful path within your application if you would like to show the user a 'nice' page in the event of unauthorized access.

Overrides:: setUnauthorizedUrl in class AccessControlFilter

Parameters:: unauthorizedUrl - the URL to which users should be redirected if they are denied access to an underlying path or resource, or null to a ensure raw HttpServletResponse.SC_UNAUTHORIZED response is issued (401 Unauthorized).

onAccessDenied

protected boolean onAccessDenied(javax.servlet.ServletRequest request,
                                 javax.servlet.ServletResponse response)
                          throws IOException

Handles the response when access has been denied. It behaves as follows:

If the Subject is unknown^[1]:
1. The incoming request will be saved and they will be redirected to the login page for authentication (via the AccessControlFilter.saveRequestAndRedirectToLogin(javax.servlet.ServletRequest, javax.servlet.ServletResponse) method).
2. Once successfully authenticated, they will be redirected back to the originally attempted page.
If the Subject is known:

The HTTP HttpServletResponse.SC_UNAUTHORIZED header will be set (401 Unauthorized)
If the unauthorizedUrl has been configured, a redirect will be issued to that URL. Otherwise the 401 response is rendered normally

[1]: A Subject is 'known' when subject.getPrincipal() is not null, which implicitly means that the subject is either currently authenticated or they have been remembered via 'remember me' services.

Specified by:: onAccessDenied in class AccessControlFilter

Parameters:: request - the incoming ServletRequest; response - the outgoing ServletResponse
Returns:: false always for this implementation.
Throws:: IOException - if there is any servlet error.