View Javadoc
1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied.  See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.shiro.web.filter.authc;
20  
21  import javax.servlet.ServletRequest;
22  import javax.servlet.ServletResponse;
23  
24  /**
25   * An authentication filter that redirects the user to the login page when they are trying to access
26   * a protected resource.  However, if the user is trying to access the login page, the filter lets
27   * the request pass through to the application code.
28   * <p/>
29   * The difference between this filter and the {@link FormAuthenticationFilter FormAuthenticationFilter} is that
30   * on a login submission (by default an HTTP POST to the login URL), the <code>FormAuthenticationFilter</code> filter
31   * attempts to automatically authenticate the user by passing the <code>username</code> and <code>password</code>
32   * request parameter values to
33   * {@link org.apache.shiro.subject.Subject#login(org.apache.shiro.authc.AuthenticationToken) Subject.login(usernamePasswordToken)}
34   * directly.
35   * <p/>
36   * Conversely, this controller always passes all requests to the {@link #setLoginUrl loginUrl} through, both GETs and
37   * POSTs.  This is useful in cases where the developer wants to write their own login behavior, which should include a
38   * call to {@link org.apache.shiro.subject.Subject#login(org.apache.shiro.authc.AuthenticationToken) Subject.login(AuthenticationToken)}
39   * at some point.  For example,  if the developer has their own custom MVC login controller or validator,
40   * this <code>PassThruAuthenticationFilter</code> may be appropriate.
41   *
42   * @see FormAuthenticationFilter
43   * @since 0.9
44   */
45  public class PassThruAuthenticationFilter extends AuthenticationFilter {
46  
47      //TODO - complete JavaDoc
48  
49      protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
50          if (isLoginRequest(request, response)) {
51              return true;
52          } else {
53              saveRequestAndRedirectToLogin(request, response);
54              return false;
55          }
56      }
57  
58  }