Package org.tynamo.security.shiro.authc

Class FormAuthenticationFilter

java.lang.Object
org.apache.shiro.web.servlet.ServletContextSupport
org.apache.shiro.web.servlet.AbstractFilter
org.apache.shiro.web.servlet.NameableFilter
org.apache.shiro.web.servlet.OncePerRequestFilter
org.apache.shiro.web.servlet.AdviceFilter
org.tynamo.security.shiro.AccessControlFilter
org.tynamo.security.shiro.authc.AuthenticationFilter
org.tynamo.security.shiro.authc.AuthenticatingFilter
org.tynamo.security.shiro.authc.FormAuthenticationFilter
All Implemented Interfaces:
jakarta.servlet.Filter, org.apache.shiro.lang.util.Nameable
public class FormAuthenticationFilter extends AuthenticatingFilter
Requires the requesting user to be authenticated for the request to continue, and if they are not, forces the user to login via by redirecting them to the loginUrl you configure.

This filter constructs a UsernamePasswordToken with the values found in username, password, and rememberMe request parameters. It then calls Subject.login(usernamePasswordToken), effectively automatically performing a login attempt. Note that the login attempt will only occur when the isLoginSubmission(request,response) is true, which by default occurs when the request is for the loginUrl and is a POST request.

If the login attempt fails, the resulting AuthenticationException fully qualified class name will be set as a request attribute under the failureKeyAttribute key. This FQCN can be used as an i18n key or lookup mechanism to explain to the user why their login attempt failed (e.g. no account, incorrect password, etc).

If you would prefer to handle the authentication validation and login in your own code, consider using the PassThruAuthenticationFilter instead, which allows requests to the AccessControlFilter.loginUrl to pass through to your application's code directly.

Since:
0.4.0
See Also:
  • PassThruAuthenticationFilter

  • Field Details

  • Constructor Details

    • FormAuthenticationFilter

      public FormAuthenticationFilter(LoginContextService loginContextService)

  • Method Details

    • setLoginUrl

      public void setLoginUrl(String loginUrl)
      Description copied from class: AccessControlFilter
      Sets the login URL used to authenticate a user.

      Most Shiro filters use this url as the location to redirect a user when the filter requires authentication. Unless overridden, the

      invalid reference 
      DEFAULT_LOGIN_URL
      is assumed.
      Overrides:
      setLoginUrl in class AccessControlFilter
      Parameters:
      loginUrl - the login URL used to authenticate a user, used when redirecting users if authentication is required.

    • getUsernameParam

      public String getUsernameParam()

    • setUsernameParam

      public void setUsernameParam(String usernameParam)
      Sets the request parameter name to look for when acquiring the username. Unless overridden by calling this method, the default is username.
      Parameters:
      usernameParam - the name of the request param to check for acquiring the username.

    • getPasswordParam

      public String getPasswordParam()

    • setPasswordParam

      public void setPasswordParam(String passwordParam)
      Sets the request parameter name to look for when acquiring the password. Unless overridden by calling this method, the default is password.
      Parameters:
      passwordParam - the name of the request param to check for acquiring the password.

    • getRememberMeParam

      public String getRememberMeParam()

    • setRememberMeParam

      public void setRememberMeParam(String rememberMeParam)
      Sets the request parameter name to look for when acquiring the rememberMe boolean value. Unless overridden by calling this method, the default is rememberMe.

      RememberMe will be true if the parameter value equals any of those supported by WebUtils.isTrue(request,value), false otherwise.

      Parameters:
      rememberMeParam - the name of the request param to check for acquiring the rememberMe boolean value.

    • getFailureKeyAttribute

      public String getFailureKeyAttribute()

    • setFailureKeyAttribute

      public void setFailureKeyAttribute(String failureKeyAttribute)

    • onAccessDenied

      protected boolean onAccessDenied(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response) throws Exception
      Description copied from class: AccessControlFilter
      Processes requests where the subject was denied access as determined by the isAccessAllowed method.
      Specified by:
      onAccessDenied in class AccessControlFilter
      Parameters:
      request - the incoming ServletRequest
      response - the outgoing ServletResponse
      Returns:
      true if the request should continue to be processed; false if the subclass will handle/render the response directly.
      Throws:
      Exception - if there is an error processing the request.

    • isLoginSubmission

      protected boolean isLoginSubmission(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response)
      This default implementation merely returns true if the request is an HTTP POST, false otherwise. Can be overridden by subclasses for custom login submission detection behavior.
      Parameters:
      request - the incoming ServletRequest
      response - the outgoing ServletResponse.
      Returns:
      true if the request is an HTTP POST, false otherwise.

    • createToken

      protected org.apache.shiro.authc.AuthenticationToken createToken(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response)
      Specified by:
      createToken in class AuthenticatingFilter

    • isRememberMe

      protected boolean isRememberMe(jakarta.servlet.ServletRequest request)
      Description copied from class: AuthenticatingFilter
      Returns true if "rememberMe" should be enabled for the login attempt associated with the current request, false otherwise.

      This implementation always returns false and is provided as a template hook to subclasses that support rememberMe logins and wish to determine rememberMe in a custom mannner based on the current request.

      Overrides:
      isRememberMe in class AuthenticatingFilter
      Parameters:
      request - the incoming ServletRequest
      Returns:
      true if "rememberMe" should be enabled for the login attempt associated with the current request, false otherwise.

    • onLoginSuccess

      protected boolean onLoginSuccess(org.apache.shiro.authc.AuthenticationToken token, org.apache.shiro.subject.Subject subject, jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response) throws Exception
      Overrides:
      onLoginSuccess in class AuthenticatingFilter
      Throws:
      Exception

    • onLoginFailure

      protected boolean onLoginFailure(org.apache.shiro.authc.AuthenticationToken token, org.apache.shiro.authc.AuthenticationException e, jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response)
      Overrides:
      onLoginFailure in class AuthenticatingFilter

    • setFailureAttribute

      protected void setFailureAttribute(jakarta.servlet.ServletRequest request, org.apache.shiro.authc.AuthenticationException ae)

    • getUsername

      protected String getUsername(jakarta.servlet.ServletRequest request)

    • getPassword

      protected String getPassword(jakarta.servlet.ServletRequest request)