org.tynamo.security.shiro.authz

Class AuthorizationFilter

java.lang.Object

org.apache.shiro.web.servlet.ServletContextSupport

org.apache.shiro.web.servlet.AbstractFilter

org.apache.shiro.web.servlet.NameableFilter

org.apache.shiro.web.servlet.OncePerRequestFilter

org.apache.shiro.web.servlet.AdviceFilter

org.tynamo.security.shiro.AccessControlFilter

org.tynamo.security.shiro.authz.AuthorizationFilter

All Implemented Interfaces:

javax.servlet.Filter, org.apache.shiro.util.Nameable

Direct Known Subclasses:

PermissionsAuthorizationFilter, PortFilter, RolesAuthorizationFilter

public abstract class AuthorizationFilter
extends AccessControlFilter

Superclass for authorization-related filters. If an request is unauthorized, response handling is delegated to the onAccessDenied method, which provides reasonable handling for most applications.

Since:

0.4.0

See Also:

onAccessDenied(javax.servlet.ServletRequest, javax.servlet.ServletResponse)

Field Summary

Fields inherited from class org.tynamo.security.shiro.AccessControlFilter

GET_METHOD, LOGIN_URL, pathMatcher, POST_METHOD, REDIRECT_TO_SAVED_URL, SUCCESS_URL, TAPESTRY_VERSION, UNAUTHORIZED_URL

Fields inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter

ALREADY_FILTERED_SUFFIX

Fields inherited from class org.apache.shiro.web.servlet.AbstractFilter

filterConfig

Constructor Summary

Constructors

Constructor and Description
AuthorizationFilter(LoginContextService loginContextService)

Method Summary

Methods

Modifier and Type	Method and Description
String	getUnauthorizedUrl() Returns the URL to which users should be redirected if they are denied access to an underlying path or resource, or null if a raw HttpServletResponse.SC_UNAUTHORIZED response should be issued (401 Unauthorized).
protected boolean	onAccessDenied(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response) Handles the response when access has been denied.
void	setUnauthorizedUrl(String unauthorizedUrl) Sets the URL to which users should be redirected if they are denied access to an underlying path or resource.

Methods inherited from class org.tynamo.security.shiro.AccessControlFilter

addConfig, getLoginContextService, getLoginUrl, getSubject, getSuccessUrl, isAccessAllowed, isLoginRequest, isRedirectToSavedUrl, onAccessDenied, onPreHandle, preHandle, redirectToLogin, saveRequest, saveRequestAndRedirectToLogin, setConfig, setLoginUrl, setRedirectToSavedUrl, setSuccessUrl

Methods inherited from class org.apache.shiro.web.servlet.AdviceFilter

afterCompletion, cleanup, doFilterInternal, executeChain, postHandle

Methods inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter

doFilter, getAlreadyFilteredAttributeName, isEnabled, isEnabled, setEnabled, shouldNotFilter

Methods inherited from class org.apache.shiro.web.servlet.NameableFilter

getName, setName, toStringBuilder

Methods inherited from class org.apache.shiro.web.servlet.AbstractFilter

destroy, getFilterConfig, getInitParam, init, onFilterConfigSet, setFilterConfig

Methods inherited from class org.apache.shiro.web.servlet.ServletContextSupport

getContextAttribute, getContextInitParam, getServletContext, removeContextAttribute, setContextAttribute, setServletContext, toString

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail

AuthorizationFilter

public AuthorizationFilter(LoginContextService loginContextService)

Method Detail

getUnauthorizedUrl

public String getUnauthorizedUrl()

Returns the URL to which users should be redirected if they are denied access to an underlying path or resource, or null if a raw HttpServletResponse.SC_UNAUTHORIZED response should be issued (401 Unauthorized).

The default is null, ensuring default web server behavior. Override this default by calling the setUnauthorizedUrl method with a meaningful path within your application if you would like to show the user a 'nice' page in the event of unauthorized access.

Overrides:

getUnauthorizedUrl in class AccessControlFilter

Returns:

the URL to which users should be redirected if they are denied access to an underlying path or resource, or null if a raw HttpServletResponse.SC_UNAUTHORIZED response should be issued (401 Unauthorized).

setUnauthorizedUrl

public void setUnauthorizedUrl(String unauthorizedUrl)

Sets the URL to which users should be redirected if they are denied access to an underlying path or resource.

If the value is null a raw HttpServletResponse.SC_UNAUTHORIZED response will be issued (401 Unauthorized), retaining default web server behavior.

Unless overridden by calling this method, the default value is null. If desired, you can specify a meaningful path within your application if you would like to show the user a 'nice' page in the event of unauthorized access.

Overrides:

setUnauthorizedUrl in class AccessControlFilter

Parameters:

unauthorizedUrl - the URL to which users should be redirected if they are denied access to an underlying path or resource, or null to a ensure raw HttpServletResponse.SC_UNAUTHORIZED response is issued (401 Unauthorized).

onAccessDenied

protected boolean onAccessDenied(javax.servlet.ServletRequest request,
                     javax.servlet.ServletResponse response)
                          throws IOException

Handles the response when access has been denied. It behaves as follows:

• If the Subject is unknown^[1]:
  1. The incoming request will be saved and they will be redirected to the login page for authentication (via the AccessControlFilter.saveRequestAndRedirectToLogin(javax.servlet.ServletRequest, javax.servlet.ServletResponse) method).
  2. Once successfully authenticated, they will be redirected back to the originally attempted page.
• If the Subject is known:
1. The HTTP HttpServletResponse.SC_UNAUTHORIZED header will be set (401 Unauthorized)
2. If the unauthorizedUrl has been configured, a redirect will be issued to that URL. Otherwise the 401 response is rendered normally

[1]: A Subject is 'known' when subject.getPrincipal() is not null, which implicitly means that the subject is either currently authenticated or they have been remembered via 'remember me' services.

Specified by:

onAccessDenied in class AccessControlFilter

Parameters:

request - the incoming ServletRequest

response - the outgoing ServletResponse

Returns:

false always for this implementation.

Throws:

IOException - if there is any servlet error.