Package org.tynamo.security.shiro.authz
Class AuthorizationFilter
java.lang.Object
org.apache.shiro.web.servlet.ServletContextSupport
org.apache.shiro.web.servlet.AbstractFilter
org.apache.shiro.web.servlet.NameableFilter
org.apache.shiro.web.servlet.OncePerRequestFilter
org.apache.shiro.web.servlet.AdviceFilter
org.tynamo.security.shiro.AccessControlFilter
org.tynamo.security.shiro.authz.AuthorizationFilter
- All Implemented Interfaces:
jakarta.servlet.Filter,org.apache.shiro.lang.util.Nameable
- Direct Known Subclasses:
PermissionsAuthorizationFilter,PortFilter,RolesAuthorizationFilter
Superclass for authorization-related filters. If an request is unauthorized, response handling is delegated to the
onAccessDenied method, which
provides reasonable handling for most applications.- Since:
- 0.4.0
- See Also:
-
Field Summary
Fields inherited from class org.tynamo.security.shiro.AccessControlFilter
GET_METHOD, LOGIN_URL, pathMatcher, POST_METHOD, REDIRECT_TO_SAVED_URL, SUCCESS_URL, TAPESTRY_VERSION, UNAUTHORIZED_URLFields inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
ALREADY_FILTERED_SUFFIXFields inherited from class org.apache.shiro.web.servlet.AbstractFilter
filterConfig -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionReturns the URL to which users should be redirected if they are denied access to an underlying path or resource, ornullif a rawHttpServletResponse.SC_UNAUTHORIZEDresponse should be issued (401 Unauthorized).protected booleanonAccessDenied(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response) Handles the response when access has been denied.voidsetUnauthorizedUrl(String unauthorizedUrl) Sets the URL to which users should be redirected if they are denied access to an underlying path or resource.Methods inherited from class org.tynamo.security.shiro.AccessControlFilter
addConfig, getLoginContextService, getLoginUrl, getSubject, getSuccessUrl, isAccessAllowed, isLoginRequest, isRedirectToSavedUrl, onAccessDenied, onPreHandle, preHandle, redirectToLogin, saveRequest, saveRequestAndRedirectToLogin, setConfig, setLoginUrl, setRedirectToSavedUrl, setSuccessUrlMethods inherited from class org.apache.shiro.web.servlet.AdviceFilter
afterCompletion, cleanup, doFilterInternal, executeChain, postHandleMethods inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
doFilter, getAlreadyFilteredAttributeName, isEnabled, isEnabled, isFilterOncePerRequest, setEnabled, setFilterOncePerRequest, shouldNotFilterMethods inherited from class org.apache.shiro.web.servlet.NameableFilter
getName, setName, toStringBuilderMethods inherited from class org.apache.shiro.web.servlet.AbstractFilter
destroy, getFilterConfig, getInitParam, init, onFilterConfigSet, setFilterConfigMethods inherited from class org.apache.shiro.web.servlet.ServletContextSupport
getContextAttribute, getContextInitParam, getServletContext, removeContextAttribute, setContextAttribute, setServletContext, toString
-
Constructor Details
-
AuthorizationFilter
-
-
Method Details
-
getUnauthorizedUrl
Returns the URL to which users should be redirected if they are denied access to an underlying path or resource, ornullif a rawHttpServletResponse.SC_UNAUTHORIZEDresponse should be issued (401 Unauthorized). The default isnull, ensuring default web server behavior. Override this default by calling thesetUnauthorizedUrlmethod with a meaningful path within your application if you would like to show the user a 'nice' page in the event of unauthorized access.- Overrides:
getUnauthorizedUrlin classAccessControlFilter- Returns:
- the URL to which users should be redirected if they are denied access to an underlying path or resource,
or
nullif a rawHttpServletResponse.SC_UNAUTHORIZEDresponse should be issued (401 Unauthorized).
-
setUnauthorizedUrl
Sets the URL to which users should be redirected if they are denied access to an underlying path or resource. If the value isnulla rawHttpServletResponse.SC_UNAUTHORIZEDresponse will be issued (401 Unauthorized), retaining default web server behavior. Unless overridden by calling this method, the default value isnull. If desired, you can specify a meaningful path within your application if you would like to show the user a 'nice' page in the event of unauthorized access.- Overrides:
setUnauthorizedUrlin classAccessControlFilter- Parameters:
unauthorizedUrl- the URL to which users should be redirected if they are denied access to an underlying path or resource, ornullto a ensure rawHttpServletResponse.SC_UNAUTHORIZEDresponse is issued (401 Unauthorized).
-
onAccessDenied
protected boolean onAccessDenied(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response) throws IOException Handles the response when access has been denied. It behaves as follows:- If the
Subjectis unknown[1]:- The incoming request will be saved and they will be redirected to the login page for authentication
(via the
AccessControlFilter.saveRequestAndRedirectToLogin(jakarta.servlet.ServletRequest, jakarta.servlet.ServletResponse)method). - Once successfully authenticated, they will be redirected back to the originally attempted page.
- The incoming request will be saved and they will be redirected to the login page for authentication
(via the
- If the Subject is known:
- The HTTP
HttpServletResponse.SC_UNAUTHORIZEDheader will be set (401 Unauthorized) - If the
unauthorizedUrlhas been configured, a redirect will be issued to that URL. Otherwise the 401 response is rendered normally
[1]: ASubjectis 'known' whensubject.is notgetPrincipal()null, which implicitly means that the subject is either currently authenticated or they have been remembered via 'remember me' services.- Specified by:
onAccessDeniedin classAccessControlFilter- Parameters:
request- the incomingServletRequestresponse- the outgoingServletResponse- Returns:
falsealways for this implementation.- Throws:
IOException- if there is any servlet error.
- If the
-