Coverage Report

Coverage Report - org.apache.shiro.web.filter.AccessControlFilter

Classes in this File

Line Coverage

Branch Coverage

Complexity

AccessControlFilter

35%

6/17

0/4

1.091

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */
 package org.apache.shiro.web.filter;
 
 import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.subject.Subject;
 import org.apache.shiro.web.util.WebUtils;
 
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import java.io.IOException;
 
 /**
  * Superclass for any filter that controls access to a resource and may redirect the user to the login page
  * if they are not authenticated.  This superclass provides the method
  * {@link #saveRequestAndRedirectToLogin(javax.servlet.ServletRequest, javax.servlet.ServletResponse)}
  * which is used by many subclasses as the behavior when a user is unauthenticated.
  *
  * @since 0.9
  */
 public abstract class AccessControlFilter extends PathMatchingFilter {
 
     /**
      * Simple default login URL equal to <code>/login.jsp</code>, which can be overridden by calling the
      * {@link #setLoginUrl(String) setLoginUrl} method.
      */
     public static final String DEFAULT_LOGIN_URL = "/login.jsp";
 
     /**
      * Constant representing the HTTP 'GET' request method, equal to <code>GET</code>.
      */
     public static final String GET_METHOD = "GET";
 
     /**
      * Constant representing the HTTP 'POST' request method, equal to <code>POST</code>.
      */
     public static final String POST_METHOD = "POST";
 
     /**
      * The login url to used to authenticate a user, used when redirecting users if authentication is required.
      */
     private String loginUrl = DEFAULT_LOGIN_URL;
 
     /**
      * Returns the login URL used to authenticate a user.
      * <p/>
      * Most Shiro filters use this url
      * as the location to redirect a user when the filter requires authentication.  Unless overridden, the
      * {@link #DEFAULT_LOGIN_URL DEFAULT_LOGIN_URL} is assumed, which can be overridden via
      * {@link #setLoginUrl(String) setLoginUrl}.
      *
      * @return the login URL used to authenticate a user, used when redirecting users if authentication is required.
      */
     public String getLoginUrl() {
         return loginUrl;
     }
 
     /**
      * Sets the login URL used to authenticate a user.
      * <p/>
      * Most Shiro filters use this url as the location to redirect a user when the filter requires
      * authentication.  Unless overridden, the {@link #DEFAULT_LOGIN_URL DEFAULT_LOGIN_URL} is assumed.
      *
      * @param loginUrl the login URL used to authenticate a user, used when redirecting users if authentication is required.
      */
     public void setLoginUrl(String loginUrl) {
         this.loginUrl = loginUrl;
     }
 
     /**
      * Convenience method that acquires the Subject associated with the request.
      * <p/>
      * The default implementation simply returns
      * {@link org.apache.shiro.SecurityUtils#getSubject() SecurityUtils.getSubject()}.
      *
      * @param request  the incoming <code>ServletRequest</code>
      * @param response the outgoing <code>ServletResponse</code>
      * @return the Subject associated with the request.
      */
     protected Subject getSubject(ServletRequest request, ServletResponse response) {
         return SecurityUtils.getSubject();
     }
 
     /**
      * Returns <code>true</code> if the request is allowed to proceed through the filter normally, or <code>false</code>
      * if the request should be handled by the
      * {@link #onAccessDenied(ServletRequest,ServletResponse,Object) onAccessDenied(request,response,mappedValue)}
      * method instead.
      *
      * @param request     the incoming <code>ServletRequest</code>
      * @param response    the outgoing <code>ServletResponse</code>
      * @param mappedValue the filter-specific config value mapped to this filter in the URL rules mappings.
      * @return <code>true</code> if the request should proceed through the filter normally, <code>false</code> if the
      *         request should be processed by this filter's
      *         {@link #onAccessDenied(ServletRequest,ServletResponse,Object)} method instead.
      * @throws Exception if an error occurs during processing.
      */
     protected abstract boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception;
 
     /**
      * Processes requests where the subject was denied access as determined by the
      * {@link #isAccessAllowed(javax.servlet.ServletRequest, javax.servlet.ServletResponse, Object) isAccessAllowed}
      * method, retaining the {@code mappedValue} that was used during configuration.
      * <p/>
      * This method immediately delegates to {@link #onAccessDenied(ServletRequest,ServletResponse)} as a
      * convenience in that most post-denial behavior does not need the mapped config again.
      *
      * @param request     the incoming <code>ServletRequest</code>
      * @param response    the outgoing <code>ServletResponse</code>
      * @param mappedValue the config specified for the filter in the matching request's filter chain.
      * @return <code>true</code> if the request should continue to be processed; false if the subclass will
      *         handle/render the response directly.
      * @throws Exception if there is an error processing the request.
      * @since 1.0
      */
     protected boolean onAccessDenied(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
         return onAccessDenied(request, response);
     }
 
     /**
      * Processes requests where the subject was denied access as determined by the
      * {@link #isAccessAllowed(javax.servlet.ServletRequest, javax.servlet.ServletResponse, Object) isAccessAllowed}
      * method.
      *
      * @param request  the incoming <code>ServletRequest</code>
      * @param response the outgoing <code>ServletResponse</code>
      * @return <code>true</code> if the request should continue to be processed; false if the subclass will
      *         handle/render the response directly.
      * @throws Exception if there is an error processing the request.
      */
     protected abstract boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception;
 
     /**
      * Returns <code>true</code> if
      * {@link #isAccessAllowed(ServletRequest,ServletResponse,Object) isAccessAllowed(Request,Response,Object)},
      * otherwise returns the result of
      * {@link #onAccessDenied(ServletRequest,ServletResponse,Object) onAccessDenied(Request,Response,Object)}.
      *
      * @return <code>true</code> if
      *         {@link #isAccessAllowed(javax.servlet.ServletRequest, javax.servlet.ServletResponse, Object) isAccessAllowed},
      *         otherwise returns the result of
      *         {@link #onAccessDenied(javax.servlet.ServletRequest, javax.servlet.ServletResponse) onAccessDenied}.
      * @throws Exception if an error occurs.
      */
     public boolean onPreHandle(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
         return isAccessAllowed(request, response, mappedValue) || onAccessDenied(request, response, mappedValue);
     }
 
     /**
      * Returns <code>true</code> if the incoming request is a login request, <code>false</code> otherwise.
      * <p/>
      * The default implementation merely returns <code>true</code> if the incoming request matches the configured
      * {@link #getLoginUrl() loginUrl} by calling
      * <code>{@link #pathsMatch(String, String) pathsMatch(loginUrl, request)}</code>.
      *
      * @param request  the incoming <code>ServletRequest</code>
      * @param response the outgoing <code>ServletResponse</code>
      * @return <code>true</code> if the incoming request is a login request, <code>false</code> otherwise.
      */
     protected boolean isLoginRequest(ServletRequest request, ServletResponse response) {
         return pathsMatch(getLoginUrl(), request);
     }
 
     /**
      * Convenience method for subclasses to use when a login redirect is required.
      * <p/>
      * This implementation simply calls {@link #saveRequest(javax.servlet.ServletRequest) saveRequest(request)}
      * and then {@link #redirectToLogin(javax.servlet.ServletRequest, javax.servlet.ServletResponse) redirectToLogin(request,response)}.
      *
      * @param request  the incoming <code>ServletRequest</code>
      * @param response the outgoing <code>ServletResponse</code>
      * @throws IOException if an error occurs.
      */
     protected void saveRequestAndRedirectToLogin(ServletRequest request, ServletResponse response) throws IOException {
         saveRequest(request);
         redirectToLogin(request, response);
     }
 
     /**
      * Convenience method merely delegates to
      * {@link WebUtils#saveRequest(javax.servlet.ServletRequest) WebUtils.saveRequest(request)} to save the request
      * state for reuse later.  This is mostly used to retain user request state when a redirect is issued to
      * return the user to their originally requested url/resource.
      * <p/>
      * If you need to save and then immediately redirect the user to login, consider using
      * {@link #saveRequestAndRedirectToLogin(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
      * saveRequestAndRedirectToLogin(request,response)} directly.
      *
      * @param request the incoming ServletRequest to save for re-use later (for example, after a redirect).
      */
     protected void saveRequest(ServletRequest request) {
         WebUtils.saveRequest(request);
     }
 
     /**
      * Convenience method for subclasses that merely acquires the {@link #getLoginUrl() getLoginUrl} and redirects
      * the request to that url.
      * <p/>
      * <b>N.B.</b>  If you want to issue a redirect with the intention of allowing the user to then return to their
      * originally requested URL, don't use this method directly.  Instead you should call
      * {@link #saveRequestAndRedirectToLogin(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
      * saveRequestAndRedirectToLogin(request,response)}, which will save the current request state so that it can
      * be reconstructed and re-used after a successful login.
      *
      * @param request  the incoming <code>ServletRequest</code>
      * @param response the outgoing <code>ServletResponse</code>
      * @throws IOException if an error occurs.
      */
     protected void redirectToLogin(ServletRequest request, ServletResponse response) throws IOException {
         String loginUrl = getLoginUrl();
         WebUtils.issueRedirect(request, response, loginUrl);
     }
 
 }

1		/*
2		* Licensed to the Apache Software Foundation (ASF) under one
3		* or more contributor license agreements. See the NOTICE file
4		* distributed with this work for additional information
5		* regarding copyright ownership. The ASF licenses this file
6		* to you under the Apache License, Version 2.0 (the
7		* "License"); you may not use this file except in compliance
8		* with the License. You may obtain a copy of the License at
9		*
10		* http://www.apache.org/licenses/LICENSE-2.0
11		*
12		* Unless required by applicable law or agreed to in writing,
13		* software distributed under the License is distributed on an
14		* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15		* KIND, either express or implied. See the License for the
16		* specific language governing permissions and limitations
17		* under the License.
18		*/
19		package org.apache.shiro.web.filter;
20
21		import org.apache.shiro.SecurityUtils;
22		import org.apache.shiro.subject.Subject;
23		import org.apache.shiro.web.util.WebUtils;
24
25		import javax.servlet.ServletRequest;
26		import javax.servlet.ServletResponse;
27		import java.io.IOException;
28
29		/**
30		* Superclass for any filter that controls access to a resource and may redirect the user to the login page
31		* if they are not authenticated. This superclass provides the method
32		* {@link #saveRequestAndRedirectToLogin(javax.servlet.ServletRequest, javax.servlet.ServletResponse)}
33		* which is used by many subclasses as the behavior when a user is unauthenticated.
34		*
35		* @since 0.9
36		*/
37	397	public abstract class AccessControlFilter extends PathMatchingFilter {
38
39		/**
40		* Simple default login URL equal to <code>/login.jsp</code>, which can be overridden by calling the
41		* {@link #setLoginUrl(String) setLoginUrl} method.
42		*/
43		public static final String DEFAULT_LOGIN_URL = "/login.jsp";
44
45		/**
46		* Constant representing the HTTP 'GET' request method, equal to <code>GET</code>.
47		*/
48		public static final String GET_METHOD = "GET";
49
50		/**
51		* Constant representing the HTTP 'POST' request method, equal to <code>POST</code>.
52		*/
53		public static final String POST_METHOD = "POST";
54
55		/**
56		* The login url to used to authenticate a user, used when redirecting users if authentication is required.
57		*/
58	397	private String loginUrl = DEFAULT_LOGIN_URL;
59
60		/**
61		* Returns the login URL used to authenticate a user.
62		* <p/>
63		* Most Shiro filters use this url
64		* as the location to redirect a user when the filter requires authentication. Unless overridden, the
65		* {@link #DEFAULT_LOGIN_URL DEFAULT_LOGIN_URL} is assumed, which can be overridden via
66		* {@link #setLoginUrl(String) setLoginUrl}.
67		*
68		* @return the login URL used to authenticate a user, used when redirecting users if authentication is required.
69		*/
70		public String getLoginUrl() {
71	102	return loginUrl;
72		}
73
74		/**
75		* Sets the login URL used to authenticate a user.
76		* <p/>
77		* Most Shiro filters use this url as the location to redirect a user when the filter requires
78		* authentication. Unless overridden, the {@link #DEFAULT_LOGIN_URL DEFAULT_LOGIN_URL} is assumed.
79		*
80		* @param loginUrl the login URL used to authenticate a user, used when redirecting users if authentication is required.
81		*/
82		public void setLoginUrl(String loginUrl) {
83	51	this.loginUrl = loginUrl;
84	51	}
85
86		/**
87		* Convenience method that acquires the Subject associated with the request.
88		* <p/>
89		* The default implementation simply returns
90		* {@link org.apache.shiro.SecurityUtils#getSubject() SecurityUtils.getSubject()}.
91		*
92		* @param request the incoming <code>ServletRequest</code>
93		* @param response the outgoing <code>ServletResponse</code>
94		* @return the Subject associated with the request.
95		*/
96		protected Subject getSubject(ServletRequest request, ServletResponse response) {
97	2	return SecurityUtils.getSubject();
98		}
99
100		/**
101		* Returns <code>true</code> if the request is allowed to proceed through the filter normally, or <code>false</code>
102		* if the request should be handled by the
103		* {@link #onAccessDenied(ServletRequest,ServletResponse,Object) onAccessDenied(request,response,mappedValue)}
104		* method instead.
105		*
106		* @param request the incoming <code>ServletRequest</code>
107		* @param response the outgoing <code>ServletResponse</code>
108		* @param mappedValue the filter-specific config value mapped to this filter in the URL rules mappings.
109		* @return <code>true</code> if the request should proceed through the filter normally, <code>false</code> if the
110		* request should be processed by this filter's
111		* {@link #onAccessDenied(ServletRequest,ServletResponse,Object)} method instead.
112		* @throws Exception if an error occurs during processing.
113		*/
114		protected abstract boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception;
115
116		/**
117		* Processes requests where the subject was denied access as determined by the
118		* {@link #isAccessAllowed(javax.servlet.ServletRequest, javax.servlet.ServletResponse, Object) isAccessAllowed}
119		* method, retaining the {@code mappedValue} that was used during configuration.
120		* <p/>
121		* This method immediately delegates to {@link #onAccessDenied(ServletRequest,ServletResponse)} as a
122		* convenience in that most post-denial behavior does not need the mapped config again.
123		*
124		* @param request the incoming <code>ServletRequest</code>
125		* @param response the outgoing <code>ServletResponse</code>
126		* @param mappedValue the config specified for the filter in the matching request's filter chain.
127		* @return <code>true</code> if the request should continue to be processed; false if the subclass will
128		* handle/render the response directly.
129		* @throws Exception if there is an error processing the request.
130		* @since 1.0
131		*/
132		protected boolean onAccessDenied(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
133	0	return onAccessDenied(request, response);
134		}
135
136		/**
137		* Processes requests where the subject was denied access as determined by the
138		* {@link #isAccessAllowed(javax.servlet.ServletRequest, javax.servlet.ServletResponse, Object) isAccessAllowed}
139		* method.
140		*
141		* @param request the incoming <code>ServletRequest</code>
142		* @param response the outgoing <code>ServletResponse</code>
143		* @return <code>true</code> if the request should continue to be processed; false if the subclass will
144		* handle/render the response directly.
145		* @throws Exception if there is an error processing the request.
146		*/
147		protected abstract boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception;
148
149		/**
150		* Returns <code>true</code> if
151		* {@link #isAccessAllowed(ServletRequest,ServletResponse,Object) isAccessAllowed(Request,Response,Object)},
152		* otherwise returns the result of
153		* {@link #onAccessDenied(ServletRequest,ServletResponse,Object) onAccessDenied(Request,Response,Object)}.
154		*
155		* @return <code>true</code> if
156		* {@link #isAccessAllowed(javax.servlet.ServletRequest, javax.servlet.ServletResponse, Object) isAccessAllowed},
157		* otherwise returns the result of
158		* {@link #onAccessDenied(javax.servlet.ServletRequest, javax.servlet.ServletResponse) onAccessDenied}.
159		* @throws Exception if an error occurs.
160		*/
161		public boolean onPreHandle(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
162	0	return isAccessAllowed(request, response, mappedValue) \|\| onAccessDenied(request, response, mappedValue);
163		}
164
165		/**
166		* Returns <code>true</code> if the incoming request is a login request, <code>false</code> otherwise.
167		* <p/>
168		* The default implementation merely returns <code>true</code> if the incoming request matches the configured
169		* {@link #getLoginUrl() loginUrl} by calling
170		* <code>{@link #pathsMatch(String, String) pathsMatch(loginUrl, request)}</code>.
171		*
172		* @param request the incoming <code>ServletRequest</code>
173		* @param response the outgoing <code>ServletResponse</code>
174		* @return <code>true</code> if the incoming request is a login request, <code>false</code> otherwise.
175		*/
176		protected boolean isLoginRequest(ServletRequest request, ServletResponse response) {
177	0	return pathsMatch(getLoginUrl(), request);
178		}
179
180		/**
181		* Convenience method for subclasses to use when a login redirect is required.
182		* <p/>
183		* This implementation simply calls {@link #saveRequest(javax.servlet.ServletRequest) saveRequest(request)}
184		* and then {@link #redirectToLogin(javax.servlet.ServletRequest, javax.servlet.ServletResponse) redirectToLogin(request,response)}.
185		*
186		* @param request the incoming <code>ServletRequest</code>
187		* @param response the outgoing <code>ServletResponse</code>
188		* @throws IOException if an error occurs.
189		*/
190		protected void saveRequestAndRedirectToLogin(ServletRequest request, ServletResponse response) throws IOException {
191	0	saveRequest(request);
192	0	redirectToLogin(request, response);
193	0	}
194
195		/**
196		* Convenience method merely delegates to
197		* {@link WebUtils#saveRequest(javax.servlet.ServletRequest) WebUtils.saveRequest(request)} to save the request
198		* state for reuse later. This is mostly used to retain user request state when a redirect is issued to
199		* return the user to their originally requested url/resource.
200		* <p/>
201		* If you need to save and then immediately redirect the user to login, consider using
202		* {@link #saveRequestAndRedirectToLogin(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
203		* saveRequestAndRedirectToLogin(request,response)} directly.
204		*
205		* @param request the incoming ServletRequest to save for re-use later (for example, after a redirect).
206		*/
207		protected void saveRequest(ServletRequest request) {
208	0	WebUtils.saveRequest(request);
209	0	}
210
211		/**
212		* Convenience method for subclasses that merely acquires the {@link #getLoginUrl() getLoginUrl} and redirects
213		* the request to that url.
214		* <p/>
215		* <b>N.B.</b> If you want to issue a redirect with the intention of allowing the user to then return to their
216		* originally requested URL, don't use this method directly. Instead you should call
217		* {@link #saveRequestAndRedirectToLogin(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
218		* saveRequestAndRedirectToLogin(request,response)}, which will save the current request state so that it can
219		* be reconstructed and re-used after a successful login.
220		*
221		* @param request the incoming <code>ServletRequest</code>
222		* @param response the outgoing <code>ServletResponse</code>
223		* @throws IOException if an error occurs.
224		*/
225		protected void redirectToLogin(ServletRequest request, ServletResponse response) throws IOException {
226	0	String loginUrl = getLoginUrl();
227	0	WebUtils.issueRedirect(request, response, loginUrl);
228	0	}
229
230		}