1 /*
2 * Licensed to the Apache Software Foundation (ASF) under one
3 * or more contributor license agreements. See the NOTICE file
4 * distributed with this work for additional information
5 * regarding copyright ownership. The ASF licenses this file
6 * to you under the Apache License, Version 2.0 (the
7 * "License"); you may not use this file except in compliance
8 * with the License. You may obtain a copy of the License at
9 *
10 * http://www.apache.org/licenses/LICENSE-2.0
11 *
12 * Unless required by applicable law or agreed to in writing,
13 * software distributed under the License is distributed on an
14 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15 * KIND, either express or implied. See the License for the
16 * specific language governing permissions and limitations
17 * under the License.
18 */
19 package org.apache.shiro.web.filter.authz;
20
21 import javax.servlet.ServletRequest;
22 import javax.servlet.ServletResponse;
23
24 /**
25 * Filter which requires a request to be over SSL. Access is allowed if the request is received on the configured
26 * server {@link #setPort(int) port} <em>and</em> the
27 * {@code request.}{@link javax.servlet.ServletRequest#isSecure() isSecure()}. If either condition is {@code false},
28 * the filter chain will not continue.
29 * <p/>
30 * The {@link #getPort() port} property defaults to {@code 443} and also additionally guarantees that the
31 * request scheme is always 'https' (except for port 80, which retains the 'http' scheme).
32 * <p/>
33 * Example config:
34 * <pre>
35 * [urls]
36 * /secure/path/** = ssl
37 * </pre>
38 *
39 * @since 1.0
40 */
41 public class SslFilter extends PortFilter {
42
43 public static final int DEFAULT_HTTPS_PORT = 443;
44 public static final String HTTPS_SCHEME = "https";
45
46 public SslFilter() {
47 setPort(DEFAULT_HTTPS_PORT);
48 }
49
50 @Override
51 protected String getScheme(String requestScheme, int port) {
52 if (port == DEFAULT_HTTP_PORT) {
53 return PortFilter.HTTP_SCHEME;
54 } else {
55 return HTTPS_SCHEME;
56 }
57 }
58
59 /**
60 * Retains the parent method's port-matching behavior but additionally guarantees that the
61 *{@code ServletRequest.}{@link javax.servlet.ServletRequest#isSecure() isSecure()}. If the port does not match or
62 * the request is not secure, access is denied.
63 *
64 * @param request the incoming {@code ServletRequest}
65 * @param response the outgoing {@code ServletResponse} - ignored in this implementation
66 * @param mappedValue the filter-specific config value mapped to this filter in the URL rules mappings - ignored by this implementation.
67 * @return {@code true} if the request is received on an expected SSL port and the
68 * {@code request.}{@link javax.servlet.ServletRequest#isSecure() isSecure()}, {@code false} otherwise.
69 * @throws Exception if the call to {@code super.isAccessAllowed} throws an exception.
70 * @since 1.2
71 */
72 @Override
73 protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
74 return super.isAccessAllowed(request, response, mappedValue) && request.isSecure();
75 }
76 }