001    /*
002     * Licensed to the Apache Software Foundation (ASF) under one
003     * or more contributor license agreements.  See the NOTICE file
004     * distributed with this work for additional information
005     * regarding copyright ownership.  The ASF licenses this file
006     * to you under the Apache License, Version 2.0 (the
007     * "License"); you may not use this file except in compliance
008     * with the License.  You may obtain a copy of the License at
009     *
010     *     http://www.apache.org/licenses/LICENSE-2.0
011     *
012     * Unless required by applicable law or agreed to in writing,
013     * software distributed under the License is distributed on an
014     * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015     * KIND, either express or implied.  See the License for the
016     * specific language governing permissions and limitations
017     * under the License.
018     */
019    package org.tynamo.security.shiro.authc;
020    
021    import javax.servlet.ServletRequest;
022    import javax.servlet.ServletResponse;
023    
024    import org.apache.shiro.subject.Subject;
025    import org.tynamo.security.shiro.AccessControlFilter;
026    
027    /**
028     * Filter that allows access to resources if the accessor is a known user, which is defined as
029     * having a known principal.  This means that any user who is authenticated or remembered via a
030     * 'remember me' feature will be allowed access from this filter.
031     * <p/>
032     * If the accessor is not a known user, then they will be redirected to the {@link #setLoginUrl(String) loginUrl}</p>
033     *
034     * @since 0.4.0
035     */
036    public class UserFilter extends AccessControlFilter {
037    
038        /**
039         * Returns <code>true</code> if the request is a
040         * {@link #isLoginRequest(javax.servlet.ServletRequest, javax.servlet.ServletResponse) loginRequest} or
041         * if the current {@link #getSubject(javax.servlet.ServletRequest, javax.servlet.ServletResponse) subject}
042         * is not <code>null</code>, <code>false</code> otherwise.
043         *
044         * @return <code>true</code> if the request is a
045         * {@link #isLoginRequest(javax.servlet.ServletRequest, javax.servlet.ServletResponse) loginRequest} or
046         * if the current {@link #getSubject(javax.servlet.ServletRequest, javax.servlet.ServletResponse) subject}
047         * is not <code>null</code>, <code>false</code> otherwise.
048         */
049        protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
050            if (isLoginRequest(request, response)) {
051                return true;
052            } else {
053                Subject subject = getSubject(request, response);
054                // If principal is not null, then the user is known and should be allowed access.
055                return subject.getPrincipal() != null;
056            }
057        }
058    
059        /**
060         * This default implementation simply calls
061         * {@link #saveRequestAndRedirectToLogin(javax.servlet.ServletRequest, javax.servlet.ServletResponse) saveRequestAndRedirectToLogin}
062         * and then immediately returns <code>false</code>, thereby preventing the chain from continuing so the redirect may
063         * execute.
064         */
065        protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
066            saveRequestAndRedirectToLogin(request, response);
067            return false;
068        }
069    }