Classes in this File | Line Coverage | Branch Coverage | Complexity | ||||
AuthorizationFilter |
|
| 1.6666666666666667;1.667 |
1 | /* | |
2 | * Licensed to the Apache Software Foundation (ASF) under one | |
3 | * or more contributor license agreements. See the NOTICE file | |
4 | * distributed with this work for additional information | |
5 | * regarding copyright ownership. The ASF licenses this file | |
6 | * to you under the Apache License, Version 2.0 (the | |
7 | * "License"); you may not use this file except in compliance | |
8 | * with the License. You may obtain a copy of the License at | |
9 | * | |
10 | * http://www.apache.org/licenses/LICENSE-2.0 | |
11 | * | |
12 | * Unless required by applicable law or agreed to in writing, | |
13 | * software distributed under the License is distributed on an | |
14 | * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | |
15 | * KIND, either express or implied. See the License for the | |
16 | * specific language governing permissions and limitations | |
17 | * under the License. | |
18 | */ | |
19 | package org.apache.shiro.web.filter.authz; | |
20 | ||
21 | import org.apache.shiro.subject.Subject; | |
22 | import org.apache.shiro.util.StringUtils; | |
23 | import org.apache.shiro.web.filter.AccessControlFilter; | |
24 | import org.apache.shiro.web.util.WebUtils; | |
25 | ||
26 | import javax.servlet.ServletRequest; | |
27 | import javax.servlet.ServletResponse; | |
28 | import javax.servlet.http.HttpServletResponse; | |
29 | import java.io.IOException; | |
30 | ||
31 | /** | |
32 | * Superclass for authorization-related filters. If an request is unauthorized, response handling is delegated to the | |
33 | * {@link #onAccessDenied(javax.servlet.ServletRequest, javax.servlet.ServletResponse) onAccessDenied} method, which | |
34 | * provides reasonable handling for most applications. | |
35 | * | |
36 | * @see #onAccessDenied(javax.servlet.ServletRequest, javax.servlet.ServletResponse) | |
37 | * @since 0.9 | |
38 | */ | |
39 | 248 | public abstract class AuthorizationFilter extends AccessControlFilter { |
40 | ||
41 | /** | |
42 | * The URL to which users should be redirected if they are denied access to an underlying path or resource, | |
43 | * {@code null} by default which will issue a raw {@link HttpServletResponse#SC_UNAUTHORIZED} response | |
44 | * (401 Unauthorized). | |
45 | */ | |
46 | private String unauthorizedUrl; | |
47 | ||
48 | /** | |
49 | * Returns the URL to which users should be redirected if they are denied access to an underlying path or resource, | |
50 | * or {@code null} if a raw {@link HttpServletResponse#SC_UNAUTHORIZED} response should be issued (401 Unauthorized). | |
51 | * <p/> | |
52 | * The default is {@code null}, ensuring default web server behavior. Override this default by calling the | |
53 | * {@link #setUnauthorizedUrl(String) setUnauthorizedUrl} method with a meaningful path within your application | |
54 | * if you would like to show the user a 'nice' page in the event of unauthorized access. | |
55 | * | |
56 | * @return the URL to which users should be redirected if they are denied access to an underlying path or resource, | |
57 | * or {@code null} if a raw {@link HttpServletResponse#SC_UNAUTHORIZED} response should be issued (401 Unauthorized). | |
58 | */ | |
59 | public String getUnauthorizedUrl() { | |
60 | 2 | return unauthorizedUrl; |
61 | } | |
62 | ||
63 | /** | |
64 | * Sets the URL to which users should be redirected if they are denied access to an underlying path or resource. | |
65 | * <p/> | |
66 | * If the value is {@code null} a raw {@link HttpServletResponse#SC_UNAUTHORIZED} response will | |
67 | * be issued (401 Unauthorized), retaining default web server behavior. | |
68 | * <p/> | |
69 | * Unless overridden by calling this method, the default value is {@code null}. If desired, you can specify a | |
70 | * meaningful path within your application if you would like to show the user a 'nice' page in the event of | |
71 | * unauthorized access. | |
72 | * | |
73 | * @param unauthorizedUrl the URL to which users should be redirected if they are denied access to an underlying | |
74 | * path or resource, or {@code null} to a ensure raw {@link HttpServletResponse#SC_UNAUTHORIZED} response is | |
75 | * issued (401 Unauthorized). | |
76 | */ | |
77 | public void setUnauthorizedUrl(String unauthorizedUrl) { | |
78 | 1 | this.unauthorizedUrl = unauthorizedUrl; |
79 | 1 | } |
80 | ||
81 | /** | |
82 | * Handles the response when access has been denied. It behaves as follows: | |
83 | * <ul> | |
84 | * <li>If the {@code Subject} is unknown<sup><a href="#known">[1]</a></sup>: | |
85 | * <ol><li>The incoming request will be saved and they will be redirected to the login page for authentication | |
86 | * (via the {@link #saveRequestAndRedirectToLogin(javax.servlet.ServletRequest, javax.servlet.ServletResponse)} | |
87 | * method).</li> | |
88 | * <li>Once successfully authenticated, they will be redirected back to the originally attempted page.</li></ol> | |
89 | * </li> | |
90 | * <li>If the Subject is known:</li> | |
91 | * <ol> | |
92 | * <li>The HTTP {@link HttpServletResponse#SC_UNAUTHORIZED} header will be set (401 Unauthorized)</li> | |
93 | * <li>If the {@link #getUnauthorizedUrl() unauthorizedUrl} has been configured, a redirect will be issued to that | |
94 | * URL. Otherwise the 401 response is rendered normally</li> | |
95 | * </ul> | |
96 | * <code><a name="known">[1]</a></code>: A {@code Subject} is 'known' when | |
97 | * <code>subject.{@link org.apache.shiro.subject.Subject#getPrincipal() getPrincipal()}</code> is not {@code null}, | |
98 | * which implicitly means that the subject is either currently authenticated or they have been remembered via | |
99 | * 'remember me' services. | |
100 | * | |
101 | * @param request the incoming <code>ServletRequest</code> | |
102 | * @param response the outgoing <code>ServletResponse</code> | |
103 | * @return {@code false} always for this implementation. | |
104 | * @throws IOException if there is any servlet error. | |
105 | */ | |
106 | protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws IOException { | |
107 | ||
108 | 2 | Subject subject = getSubject(request, response); |
109 | // If the subject isn't identified, redirect to login URL | |
110 | 2 | if (subject.getPrincipal() == null) { |
111 | 0 | saveRequestAndRedirectToLogin(request, response); |
112 | } else { | |
113 | // If subject is known but not authorized, redirect to the unauthorized URL if there is one | |
114 | // If no unauthorized URL is specified, just return an unauthorized HTTP status code | |
115 | 2 | String unauthorizedUrl = getUnauthorizedUrl(); |
116 | //SHIRO-142 - ensure that redirect _or_ error code occurs - both cannot happen due to response commit: | |
117 | 2 | if (StringUtils.hasText(unauthorizedUrl)) { |
118 | 1 | WebUtils.issueRedirect(request, response, unauthorizedUrl); |
119 | } else { | |
120 | 1 | WebUtils.toHttp(response).sendError(HttpServletResponse.SC_UNAUTHORIZED); |
121 | } | |
122 | } | |
123 | 2 | return false; |
124 | } | |
125 | ||
126 | } |