/*

  * Licensed to the Apache Software Foundation (ASF) under one

  * or more contributor license agreements.  See the NOTICE file

  * distributed with this work for additional information

  * regarding copyright ownership.  The ASF licenses this file

  * to you under the Apache License, Version 2.0 (the

  * "License"); you may not use this file except in compliance

  * with the License.  You may obtain a copy of the License at

  *

  *     http://www.apache.org/licenses/LICENSE-2.0

  *

  * Unless required by applicable law or agreed to in writing,

  * software distributed under the License is distributed on an

  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY

  * KIND, either express or implied.  See the License for the

  * specific language governing permissions and limitations

  * under the License.

  */

 package org.apache.shiro.web.filter.authz;

 import javax.servlet.ServletRequest;

 import javax.servlet.ServletResponse;

 /**

  * Filter which requires a request to be over SSL.  Access is allowed if the request is received on the configured

  * server {@link #setPort(int) port} <em>and</em> the

  * {@code request.}{@link javax.servlet.ServletRequest#isSecure() isSecure()}.  If either condition is {@code false},

  * the filter chain will not continue.

  * <p/>

  * The {@link #getPort() port} property defaults to {@code 443} and also additionally guarantees that the

  * request scheme is always 'https' (except for port 80, which retains the 'http' scheme).

  * <p/>

  * Example config:

  * <pre>

  * [urls]

  * /secure/path/** = ssl

  * </pre>

  *

  * @since 1.0

  */

 public class SslFilter extends PortFilter {

     public static final int DEFAULT_HTTPS_PORT = 443;

     public static final String HTTPS_SCHEME = "https";

     public SslFilter() {

         setPort(DEFAULT_HTTPS_PORT);

     }

     @Override

     protected String getScheme(String requestScheme, int port) {

         if (port == DEFAULT_HTTP_PORT) {

             return PortFilter.HTTP_SCHEME;

         } else {

             return HTTPS_SCHEME;

         }

     }

     /**

      * Retains the parent method's port-matching behavior but additionally guarantees that the

      *{@code ServletRequest.}{@link javax.servlet.ServletRequest#isSecure() isSecure()}.  If the port does not match or

      * the request is not secure, access is denied.

      *

      * @param request     the incoming {@code ServletRequest}

      * @param response    the outgoing {@code ServletResponse} - ignored in this implementation

      * @param mappedValue the filter-specific config value mapped to this filter in the URL rules mappings - ignored by this implementation.

      * @return {@code true} if the request is received on an expected SSL port and the

      * {@code request.}{@link javax.servlet.ServletRequest#isSecure() isSecure()}, {@code false} otherwise.

      * @throws Exception if the call to {@code super.isAccessAllowed} throws an exception.

      * @since 1.2

      */

     @Override

     protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {

         return super.isAccessAllowed(request, response, mappedValue) && request.isSecure();

     }

 }