Coverage Report

Coverage Report - org.apache.shiro.web.filter.authz.AuthorizationFilter

Classes in this File

Line Coverage

Branch Coverage

Complexity

AuthorizationFilter

91%

11/12

75%

3/4

1.667

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */
 package org.apache.shiro.web.filter.authz;
 
 import org.apache.shiro.subject.Subject;
 import org.apache.shiro.util.StringUtils;
 import org.apache.shiro.web.filter.AccessControlFilter;
 import org.apache.shiro.web.util.WebUtils;
 
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 
 /**
  * Superclass for authorization-related filters.  If an request is unauthorized, response handling is delegated to the
  * {@link #onAccessDenied(javax.servlet.ServletRequest, javax.servlet.ServletResponse) onAccessDenied} method, which
  * provides reasonable handling for most applications.
  *
  * @see #onAccessDenied(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
  * @since 0.9
  */
 public abstract class AuthorizationFilter extends AccessControlFilter {
 
     /**
      * The URL to which users should be redirected if they are denied access to an underlying path or resource,
      * {@code null} by default which will issue a raw {@link HttpServletResponse#SC_UNAUTHORIZED} response
      * (401 Unauthorized).
      */
     private String unauthorizedUrl;
 
     /**
      * Returns the URL to which users should be redirected if they are denied access to an underlying path or resource,
      * or {@code null} if a raw {@link HttpServletResponse#SC_UNAUTHORIZED} response should be issued (401 Unauthorized).
      * <p/>
      * The default is {@code null}, ensuring default web server behavior.  Override this default by calling the
      * {@link #setUnauthorizedUrl(String) setUnauthorizedUrl} method with a meaningful path within your application
      * if you would like to show the user a 'nice' page in the event of unauthorized access.
      *
      * @return the URL to which users should be redirected if they are denied access to an underlying path or resource,
      *         or {@code null} if a raw {@link HttpServletResponse#SC_UNAUTHORIZED} response should be issued (401 Unauthorized).
      */
     public String getUnauthorizedUrl() {
         return unauthorizedUrl;
     }
 
     /**
      * Sets the URL to which users should be redirected if they are denied access to an underlying path or resource.
      * <p/>
      * If the value is {@code null} a raw {@link HttpServletResponse#SC_UNAUTHORIZED} response will
      * be issued (401 Unauthorized), retaining default web server behavior.
      * <p/>
      * Unless overridden by calling this method, the default value is {@code null}.  If desired, you can specify a
      * meaningful path within your application if you would like to show the user a 'nice' page in the event of
      * unauthorized access.
      *
      * @param unauthorizedUrl the URL to which users should be redirected if they are denied access to an underlying
      *                        path or resource, or {@code null} to a ensure raw {@link HttpServletResponse#SC_UNAUTHORIZED} response is
      *                        issued (401 Unauthorized).
      */
     public void setUnauthorizedUrl(String unauthorizedUrl) {
         this.unauthorizedUrl = unauthorizedUrl;
     }
 
     /**
      * Handles the response when access has been denied.  It behaves as follows:
      * <ul>
      * <li>If the {@code Subject} is unknown<sup><a href="#known">[1]</a></sup>:
      * <ol><li>The incoming request will be saved and they will be redirected to the login page for authentication
      * (via the {@link #saveRequestAndRedirectToLogin(javax.servlet.ServletRequest, javax.servlet.ServletResponse)}
      * method).</li>
      * <li>Once successfully authenticated, they will be redirected back to the originally attempted page.</li></ol>
      * </li>
      * <li>If the Subject is known:</li>
      * <ol>
      * <li>The HTTP {@link HttpServletResponse#SC_UNAUTHORIZED} header will be set (401 Unauthorized)</li>
      * <li>If the {@link #getUnauthorizedUrl() unauthorizedUrl} has been configured, a redirect will be issued to that
      * URL.  Otherwise the 401 response is rendered normally</li>
      * </ul>
      * <code><a name="known">[1]</a></code>: A {@code Subject} is 'known' when
      * <code>subject.{@link org.apache.shiro.subject.Subject#getPrincipal() getPrincipal()}</code> is not {@code null},
      * which implicitly means that the subject is either currently authenticated or they have been remembered via
      * 'remember me' services.
      *
      * @param request  the incoming <code>ServletRequest</code>
      * @param response the outgoing <code>ServletResponse</code>
      * @return {@code false} always for this implementation.
      * @throws IOException if there is any servlet error.
      */
     protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws IOException {
 
         Subject subject = getSubject(request, response);
         // If the subject isn't identified, redirect to login URL
         if (subject.getPrincipal() == null) {
             saveRequestAndRedirectToLogin(request, response);
         } else {
             // If subject is known but not authorized, redirect to the unauthorized URL if there is one
             // If no unauthorized URL is specified, just return an unauthorized HTTP status code
             String unauthorizedUrl = getUnauthorizedUrl();
             //SHIRO-142 - ensure that redirect _or_ error code occurs - both cannot happen due to response commit:
             if (StringUtils.hasText(unauthorizedUrl)) {
                 WebUtils.issueRedirect(request, response, unauthorizedUrl);
             } else {
                 WebUtils.toHttp(response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
             }
         }
         return false;
     }
 
 }

1		/*
2		* Licensed to the Apache Software Foundation (ASF) under one
3		* or more contributor license agreements. See the NOTICE file
4		* distributed with this work for additional information
5		* regarding copyright ownership. The ASF licenses this file
6		* to you under the Apache License, Version 2.0 (the
7		* "License"); you may not use this file except in compliance
8		* with the License. You may obtain a copy of the License at
9		*
10		* http://www.apache.org/licenses/LICENSE-2.0
11		*
12		* Unless required by applicable law or agreed to in writing,
13		* software distributed under the License is distributed on an
14		* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15		* KIND, either express or implied. See the License for the
16		* specific language governing permissions and limitations
17		* under the License.
18		*/
19		package org.apache.shiro.web.filter.authz;
20
21		import org.apache.shiro.subject.Subject;
22		import org.apache.shiro.util.StringUtils;
23		import org.apache.shiro.web.filter.AccessControlFilter;
24		import org.apache.shiro.web.util.WebUtils;
25
26		import javax.servlet.ServletRequest;
27		import javax.servlet.ServletResponse;
28		import javax.servlet.http.HttpServletResponse;
29		import java.io.IOException;
30
31		/**
32		* Superclass for authorization-related filters. If an request is unauthorized, response handling is delegated to the
33		* {@link #onAccessDenied(javax.servlet.ServletRequest, javax.servlet.ServletResponse) onAccessDenied} method, which
34		* provides reasonable handling for most applications.
35		*
36		* @see #onAccessDenied(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
37		* @since 0.9
38		*/
39	496	public abstract class AuthorizationFilter extends AccessControlFilter {
40
41		/**
42		* The URL to which users should be redirected if they are denied access to an underlying path or resource,
43		* {@code null} by default which will issue a raw {@link HttpServletResponse#SC_UNAUTHORIZED} response
44		* (401 Unauthorized).
45		*/
46		private String unauthorizedUrl;
47
48		/**
49		* Returns the URL to which users should be redirected if they are denied access to an underlying path or resource,
50		* or {@code null} if a raw {@link HttpServletResponse#SC_UNAUTHORIZED} response should be issued (401 Unauthorized).
51		* <p/>
52		* The default is {@code null}, ensuring default web server behavior. Override this default by calling the
53		* {@link #setUnauthorizedUrl(String) setUnauthorizedUrl} method with a meaningful path within your application
54		* if you would like to show the user a 'nice' page in the event of unauthorized access.
55		*
56		* @return the URL to which users should be redirected if they are denied access to an underlying path or resource,
57		* or {@code null} if a raw {@link HttpServletResponse#SC_UNAUTHORIZED} response should be issued (401 Unauthorized).
58		*/
59		public String getUnauthorizedUrl() {
60	4	return unauthorizedUrl;
61		}
62
63		/**
64		* Sets the URL to which users should be redirected if they are denied access to an underlying path or resource.
65		* <p/>
66		* If the value is {@code null} a raw {@link HttpServletResponse#SC_UNAUTHORIZED} response will
67		* be issued (401 Unauthorized), retaining default web server behavior.
68		* <p/>
69		* Unless overridden by calling this method, the default value is {@code null}. If desired, you can specify a
70		* meaningful path within your application if you would like to show the user a 'nice' page in the event of
71		* unauthorized access.
72		*
73		* @param unauthorizedUrl the URL to which users should be redirected if they are denied access to an underlying
74		* path or resource, or {@code null} to a ensure raw {@link HttpServletResponse#SC_UNAUTHORIZED} response is
75		* issued (401 Unauthorized).
76		*/
77		public void setUnauthorizedUrl(String unauthorizedUrl) {
78	2	this.unauthorizedUrl = unauthorizedUrl;
79	2	}
80
81		/**
82		* Handles the response when access has been denied. It behaves as follows:
83		* <ul>
84		* <li>If the {@code Subject} is unknown<sup><a href="#known">[1]</a></sup>:
85		* <ol><li>The incoming request will be saved and they will be redirected to the login page for authentication
86		* (via the {@link #saveRequestAndRedirectToLogin(javax.servlet.ServletRequest, javax.servlet.ServletResponse)}
87		* method).</li>
88		* <li>Once successfully authenticated, they will be redirected back to the originally attempted page.</li></ol>
89		* </li>
90		* <li>If the Subject is known:</li>
91		* <ol>
92		* <li>The HTTP {@link HttpServletResponse#SC_UNAUTHORIZED} header will be set (401 Unauthorized)</li>
93		* <li>If the {@link #getUnauthorizedUrl() unauthorizedUrl} has been configured, a redirect will be issued to that
94		* URL. Otherwise the 401 response is rendered normally</li>
95		* </ul>
96		* <code><a name="known">[1]</a></code>: A {@code Subject} is 'known' when
97		* <code>subject.{@link org.apache.shiro.subject.Subject#getPrincipal() getPrincipal()}</code> is not {@code null},
98		* which implicitly means that the subject is either currently authenticated or they have been remembered via
99		* 'remember me' services.
100		*
101		* @param request the incoming <code>ServletRequest</code>
102		* @param response the outgoing <code>ServletResponse</code>
103		* @return {@code false} always for this implementation.
104		* @throws IOException if there is any servlet error.
105		*/
106		protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws IOException {
107
108	4	Subject subject = getSubject(request, response);
109		// If the subject isn't identified, redirect to login URL
110	4	if (subject.getPrincipal() == null) {
111	0	saveRequestAndRedirectToLogin(request, response);
112		} else {
113		// If subject is known but not authorized, redirect to the unauthorized URL if there is one
114		// If no unauthorized URL is specified, just return an unauthorized HTTP status code
115	4	String unauthorizedUrl = getUnauthorizedUrl();
116		//SHIRO-142 - ensure that redirect _or_ error code occurs - both cannot happen due to response commit:
117	4	if (StringUtils.hasText(unauthorizedUrl)) {
118	2	WebUtils.issueRedirect(request, response, unauthorizedUrl);
119		} else {
120	2	WebUtils.toHttp(response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
121		}
122		}
123	4	return false;
124		}
125
126		}