Package org.tynamo.security.shiro

Class AccessControlFilter

java.lang.Object
org.apache.shiro.web.servlet.ServletContextSupport
org.apache.shiro.web.servlet.AbstractFilter
org.apache.shiro.web.servlet.NameableFilter
org.apache.shiro.web.servlet.OncePerRequestFilter
org.apache.shiro.web.servlet.AdviceFilter
org.tynamo.security.shiro.AccessControlFilter
All Implemented Interfaces:
jakarta.servlet.Filter, org.apache.shiro.lang.util.Nameable
Direct Known Subclasses:
AuthenticationFilter, AuthorizationFilter, UserFilter
public abstract class AccessControlFilter extends org.apache.shiro.web.servlet.AdviceFilter
Superclass for any filter that controls access to a resource and may redirect the user to the login page if they are not authenticated. This superclass provides the method saveRequestAndRedirectToLogin(jakarta.servlet.ServletRequest, jakarta.servlet.ServletResponse) which is used by many subclasses as the behavior when a user is unauthenticated. This class and the subclasses that are used as Shiro's built-in filters were copied from Shiro 1.1.0 and modified locally to implement same behavior as specified in https://issues.apache.org/jira/browse/SHIRO-256 We'll revert to using Shiro's filters if the feature gets implemented in Shiro 2.x
Since:
0.4.0

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    static final String
    GET_METHOD
    Constant representing the HTTP 'GET' request method, equal to GET.
    static String
    LOGIN_URL
     
    protected org.apache.shiro.util.PatternMatcher
    pathMatcher
     
    static final String
    POST_METHOD
    Constant representing the HTTP 'POST' request method, equal to POST.
    static boolean
    REDIRECT_TO_SAVED_URL
     
    static String
    SUCCESS_URL
     
    static String
    TAPESTRY_VERSION
     
    static String
    UNAUTHORIZED_URL
     

    Fields inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter

    ALREADY_FILTERED_SUFFIX

    Fields inherited from class org.apache.shiro.web.servlet.AbstractFilter

    filterConfig

  • Constructor Summary

    Constructors
    Constructor
    Description
    AccessControlFilter(LoginContextService loginContextService)
     

  • Method Summary

    Modifier and Type
    Method
    Description
    void
    addConfig(String config)
     
    protected LoginContextService
    getLoginContextService()
     
    String
    getLoginUrl()
    Returns the login URL used to authenticate a user.
    protected org.apache.shiro.subject.Subject
    getSubject(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response)
    Convenience method that acquires the Subject associated with the request.
    String
    getSuccessUrl()
    Returns the success url to use as the default location a user is sent after logging in.
    String
    getUnauthorizedUrl()
     
    protected abstract boolean
    isAccessAllowed(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, Object mappedValue)
    Returns true if the request is allowed to proceed through the filter normally, or false if the request should be handled by the onAccessDenied(request,response,mappedValue) method instead.
    protected boolean
    isLoginRequest(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response)
    Returns true if the incoming request is a login request, false otherwise.
    boolean
    isRedirectToSavedUrl()
     
    protected abstract boolean
    onAccessDenied(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response)
    Processes requests where the subject was denied access as determined by the isAccessAllowed method.
    protected boolean
    onAccessDenied(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, Object mappedValue)
    Processes requests where the subject was denied access as determined by the isAccessAllowed method, retaining the mappedValue that was used during configuration.
    boolean
    onPreHandle(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, Object mappedValue)
    Returns true if isAccessAllowed(Request,Response,Object), otherwise returns the result of onAccessDenied(Request,Response,Object).
    protected boolean
    preHandle(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response)
     
    protected void
    redirectToLogin(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response)
    Convenience method for subclasses that merely acquires the getLoginUrl and redirects the request to that url.
    protected void
    saveRequest(jakarta.servlet.ServletRequest request)
    Convenience method merely delegates to WebUtils.saveRequest(request) to save the request state for reuse later.
    protected void
    saveRequestAndRedirectToLogin(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response)
    Convenience method for subclasses to use when a login redirect is required.
    void
    setConfig(String config)
     
    void
    setLoginUrl(String loginUrl)
    Sets the login URL used to authenticate a user.
    void
    setRedirectToSavedUrl(boolean redirectToSavedUrl)
     
    void
    setSuccessUrl(String successUrl)
    Sets the default/fallback success url to use as the default location a user is sent after logging in.
    void
    setUnauthorizedUrl(String unauthorizedUrl)
     

    Methods inherited from class org.apache.shiro.web.servlet.AdviceFilter

    afterCompletion, cleanup, doFilterInternal, executeChain, postHandle

    Methods inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter

    doFilter, getAlreadyFilteredAttributeName, isEnabled, isEnabled, isFilterOncePerRequest, setEnabled, setFilterOncePerRequest, shouldNotFilter

    Methods inherited from class org.apache.shiro.web.servlet.NameableFilter

    getName, setName, toStringBuilder

    Methods inherited from class org.apache.shiro.web.servlet.AbstractFilter

    destroy, getFilterConfig, getInitParam, init, onFilterConfigSet, setFilterConfig

    Methods inherited from class org.apache.shiro.web.servlet.ServletContextSupport

    getContextAttribute, getContextInitParam, getServletContext, removeContextAttribute, setContextAttribute, setServletContext, toString

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

  • Field Details

    • TAPESTRY_VERSION

      public static String TAPESTRY_VERSION

    • LOGIN_URL

      public static String LOGIN_URL

    • SUCCESS_URL

      public static String SUCCESS_URL

    • UNAUTHORIZED_URL

      public static String UNAUTHORIZED_URL

    • REDIRECT_TO_SAVED_URL

      public static boolean REDIRECT_TO_SAVED_URL

    • pathMatcher

      protected org.apache.shiro.util.PatternMatcher pathMatcher

    • GET_METHOD

      public static final String GET_METHOD
      Constant representing the HTTP 'GET' request method, equal to GET.
      See Also:

    • POST_METHOD

      public static final String POST_METHOD
      Constant representing the HTTP 'POST' request method, equal to POST.
      See Also:

  • Constructor Details

  • Method Details

    • addConfig

      public void addConfig(String config)

    • setConfig

      public void setConfig(String config)

    • getSuccessUrl

      public String getSuccessUrl()
      Returns the success url to use as the default location a user is sent after logging in. Typically a redirect after login will redirect to the originally request URL; this property is provided mainly as a fallback in case the original request URL is not available or not specified.

      The default value is

      invalid reference 
      #DEFAULT_SUCCESS_URL
      .
      Returns:
      the success url to use as the default location a user is sent after logging in.

    • setSuccessUrl

      public void setSuccessUrl(String successUrl)
      Sets the default/fallback success url to use as the default location a user is sent after logging in. Typically a redirect after login will redirect to the originally request URL; this property is provided mainly as a fallback in case the original request URL is not available or not specified.

      The default value is

      invalid reference 
      #DEFAULT_SUCCESS_URL
      .
      Parameters:
      successUrl - the success URL to redirect the user to after a successful login.

    • getLoginUrl

      public String getLoginUrl()
      Returns the login URL used to authenticate a user.

      Most Shiro filters use this url as the location to redirect a user when the filter requires authentication. Unless overridden, the

      invalid reference 
      DEFAULT_LOGIN_URL
      is assumed, which can be overridden via setLoginUrl.
      Returns:
      the login URL used to authenticate a user, used when redirecting users if authentication is required.

    • setLoginUrl

      public void setLoginUrl(String loginUrl)
      Sets the login URL used to authenticate a user.

      Most Shiro filters use this url as the location to redirect a user when the filter requires authentication. Unless overridden, the

      invalid reference 
      DEFAULT_LOGIN_URL
      is assumed.
      Parameters:
      loginUrl - the login URL used to authenticate a user, used when redirecting users if authentication is required.

    • getUnauthorizedUrl

      public String getUnauthorizedUrl()

    • setUnauthorizedUrl

      public void setUnauthorizedUrl(String unauthorizedUrl)

    • getSubject

      protected org.apache.shiro.subject.Subject getSubject(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response)
      Convenience method that acquires the Subject associated with the request.

      The default implementation simply returns SecurityUtils.getSubject().

      Parameters:
      request - the incoming ServletRequest
      response - the outgoing ServletResponse
      Returns:
      the Subject associated with the request.

    • isAccessAllowed

      protected abstract boolean isAccessAllowed(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, Object mappedValue) throws Exception
      Returns true if the request is allowed to proceed through the filter normally, or false if the request should be handled by the onAccessDenied(request,response,mappedValue) method instead.
      Parameters:
      request - the incoming ServletRequest
      response - the outgoing ServletResponse
      mappedValue - the filter-specific config value mapped to this filter in the URL rules mappings.
      Returns:
      true if the request should proceed through the filter normally, false if the request should be processed by this filter's onAccessDenied(ServletRequest,ServletResponse,Object) method instead.
      Throws:
      Exception - if an error occurs during processing.

    • onAccessDenied

      protected boolean onAccessDenied(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, Object mappedValue) throws Exception
      Processes requests where the subject was denied access as determined by the isAccessAllowed method, retaining the mappedValue that was used during configuration.

      This method immediately delegates to onAccessDenied(ServletRequest,ServletResponse) as a convenience in that most post-denial behavior does not need the mapped config again.

      Parameters:
      request - the incoming ServletRequest
      response - the outgoing ServletResponse
      mappedValue - the config specified for the filter in the matching request's filter chain.
      Returns:
      true if the request should continue to be processed; false if the subclass will handle/render the response directly.
      Throws:
      Exception - if there is an error processing the request.
      Since:
      1.0

    • onAccessDenied

      protected abstract boolean onAccessDenied(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response) throws Exception
      Processes requests where the subject was denied access as determined by the isAccessAllowed method.
      Parameters:
      request - the incoming ServletRequest
      response - the outgoing ServletResponse
      Returns:
      true if the request should continue to be processed; false if the subclass will handle/render the response directly.
      Throws:
      Exception - if there is an error processing the request.

    • onPreHandle

      public boolean onPreHandle(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, Object mappedValue) throws Exception
      Returns true if isAccessAllowed(Request,Response,Object), otherwise returns the result of onAccessDenied(Request,Response,Object).
      Returns:
      true if isAccessAllowed, otherwise returns the result of onAccessDenied.
      Throws:
      Exception - if an error occurs.

    • preHandle

      protected boolean preHandle(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response) throws Exception
      Overrides:
      preHandle in class org.apache.shiro.web.servlet.AdviceFilter
      Throws:
      Exception

    • isLoginRequest

      protected boolean isLoginRequest(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response)
      Returns true if the incoming request is a login request, false otherwise.

      The default implementation merely returns true if the incoming request matches the configured loginUrl by calling

      invalid reference 
      pathsMatch(loginUrl, request)
      .
      Parameters:
      request - the incoming ServletRequest
      response - the outgoing ServletResponse
      Returns:
      true if the incoming request is a login request, false otherwise.

    • saveRequestAndRedirectToLogin

      protected void saveRequestAndRedirectToLogin(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response) throws IOException
      Convenience method for subclasses to use when a login redirect is required.

      This implementation simply calls saveRequest(request) and then redirectToLogin(request,response).

      Parameters:
      request - the incoming ServletRequest
      response - the outgoing ServletResponse
      Throws:
      IOException - if an error occurs.

    • saveRequest

      protected void saveRequest(jakarta.servlet.ServletRequest request)
      Convenience method merely delegates to WebUtils.saveRequest(request) to save the request state for reuse later. This is mostly used to retain user request state when a redirect is issued to return the user to their originally requested url/resource.

      If you need to save and then immediately redirect the user to login, consider using saveRequestAndRedirectToLogin(request,response) directly.

      Parameters:
      request - the incoming ServletRequest to save for re-use later (for example, after a redirect).

    • redirectToLogin

      protected void redirectToLogin(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response) throws IOException
      Convenience method for subclasses that merely acquires the getLoginUrl and redirects the request to that url.

      N.B. If you want to issue a redirect with the intention of allowing the user to then return to their originally requested URL, don't use this method directly. Instead you should call saveRequestAndRedirectToLogin(request,response), which will save the current request state so that it can be reconstructed and re-used after a successful login.

      Parameters:
      request - the incoming ServletRequest
      response - the outgoing ServletResponse
      Throws:
      IOException - if an error occurs.

    • isRedirectToSavedUrl

      public boolean isRedirectToSavedUrl()

    • setRedirectToSavedUrl

      public void setRedirectToSavedUrl(boolean redirectToSavedUrl)

    • getLoginContextService

      protected LoginContextService getLoginContextService()