Class AuthenticatingFilter
- java.lang.Object
-
- All Implemented Interfaces:
Filter
,Nameable
,PathConfigProcessor
- Direct Known Subclasses:
BasicHttpAuthenticationFilter
,BearerHttpAuthenticationFilter
,CasFilter
,FormAuthenticationFilter
public abstract class AuthenticatingFilter extends AuthenticationFilter
AnAuthenticationFilter
that is capable of automatically performing an authentication attempt based on the incoming request.- Since:
- 0.9
-
-
Field Summary
Fields Modifier and Type Field Description static String
PERMISSIVE
-
Fields inherited from class org.apache.shiro.web.filter.authc.AuthenticationFilter
DEFAULT_SUCCESS_URL
-
Fields inherited from class org.apache.shiro.web.filter.AccessControlFilter
DEFAULT_LOGIN_URL, GET_METHOD, POST_METHOD
-
Fields inherited from class org.apache.shiro.web.filter.PathMatchingFilter
appliedPaths, pathMatcher
-
Fields inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
ALREADY_FILTERED_SUFFIX
-
Fields inherited from class org.apache.shiro.web.servlet.AbstractFilter
filterConfig
-
-
Constructor Summary
Constructors Constructor Description AuthenticatingFilter()
-
Method Summary
All Methods Instance Methods Abstract Methods Concrete Methods Modifier and Type Method Description protected void
cleanup(ServletRequest request, ServletResponse response, Exception existing)
Overrides the default behavior to callAccessControlFilter.onAccessDenied(javax.servlet.ServletRequest, javax.servlet.ServletResponse, java.lang.Object)
and swallow the exception if the exception isUnauthenticatedException
.protected AuthenticationToken
createToken(String username, String password, boolean rememberMe, String host)
protected AuthenticationToken
createToken(String username, String password, ServletRequest request, ServletResponse response)
protected abstract AuthenticationToken
createToken(ServletRequest request, ServletResponse response)
protected boolean
executeLogin(ServletRequest request, ServletResponse response)
protected String
getHost(ServletRequest request)
Returns the host name or IP associated with the current subject.protected boolean
isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue)
Determines whether the current subject should be allowed to make the current request.protected boolean
isPermissive(Object mappedValue)
Returnstrue
if the mappedValue contains thePERMISSIVE
qualifier.protected boolean
isRememberMe(ServletRequest request)
Returnstrue
if "rememberMe" should be enabled for the login attempt associated with the currentrequest
,false
otherwise.protected boolean
onLoginFailure(AuthenticationToken token, AuthenticationException e, ServletRequest request, ServletResponse response)
protected boolean
onLoginSuccess(AuthenticationToken token, Subject subject, ServletRequest request, ServletResponse response)
-
Methods inherited from class org.apache.shiro.web.filter.authc.AuthenticationFilter
getSuccessUrl, issueSuccessRedirect, setSuccessUrl
-
Methods inherited from class org.apache.shiro.web.filter.AccessControlFilter
getLoginUrl, getSubject, isLoginRequest, onAccessDenied, onAccessDenied, onPreHandle, redirectToLogin, saveRequest, saveRequestAndRedirectToLogin, setLoginUrl
-
Methods inherited from class org.apache.shiro.web.filter.PathMatchingFilter
getPathWithinApplication, isEnabled, pathsMatch, pathsMatch, preHandle, processPathConfig
-
Methods inherited from class org.apache.shiro.web.servlet.AdviceFilter
afterCompletion, doFilterInternal, executeChain, postHandle
-
Methods inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
doFilter, getAlreadyFilteredAttributeName, isEnabled, isEnabled, setEnabled, shouldNotFilter
-
Methods inherited from class org.apache.shiro.web.servlet.NameableFilter
getName, setName, toStringBuilder
-
Methods inherited from class org.apache.shiro.web.servlet.AbstractFilter
destroy, getFilterConfig, getInitParam, init, onFilterConfigSet, setFilterConfig
-
Methods inherited from class org.apache.shiro.web.servlet.ServletContextSupport
getContextAttribute, getContextInitParam, getServletContext, removeContextAttribute, setContextAttribute, setServletContext, toString
-
-
-
-
Field Detail
-
PERMISSIVE
public static final String PERMISSIVE
- See Also:
- Constant Field Values
-
-
Constructor Detail
-
AuthenticatingFilter
public AuthenticatingFilter()
-
-
Method Detail
-
executeLogin
protected boolean executeLogin(ServletRequest request, ServletResponse response) throws Exception
- Throws:
Exception
-
createToken
protected abstract AuthenticationToken createToken(ServletRequest request, ServletResponse response) throws Exception
- Throws:
Exception
-
createToken
protected AuthenticationToken createToken(String username, String password, ServletRequest request, ServletResponse response)
-
createToken
protected AuthenticationToken createToken(String username, String password, boolean rememberMe, String host)
-
onLoginSuccess
protected boolean onLoginSuccess(AuthenticationToken token, Subject subject, ServletRequest request, ServletResponse response) throws Exception
- Throws:
Exception
-
onLoginFailure
protected boolean onLoginFailure(AuthenticationToken token, AuthenticationException e, ServletRequest request, ServletResponse response)
-
getHost
protected String getHost(ServletRequest request)
Returns the host name or IP associated with the current subject. This method is primarily provided for use during construction of anAuthenticationToken
. The default implementation merely returnsServletRequest.getRemoteHost()
.- Parameters:
request
- the incoming ServletRequest- Returns:
- the
InetAddress
to associate with the login attempt.
-
isRememberMe
protected boolean isRememberMe(ServletRequest request)
Returnstrue
if "rememberMe" should be enabled for the login attempt associated with the currentrequest
,false
otherwise. This implementation always returnsfalse
and is provided as a template hook to subclasses that supportrememberMe
logins and wish to determinerememberMe
in a custom mannner based on the currentrequest
.- Parameters:
request
- the incoming ServletRequest- Returns:
true
if "rememberMe" should be enabled for the login attempt associated with the currentrequest
,false
otherwise.
-
isAccessAllowed
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue)
Determines whether the current subject should be allowed to make the current request. The default implementation returnstrue
if the user is authenticated. Will also returntrue
if theAccessControlFilter.isLoginRequest(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
returns false and the "permissive" flag is set.- Overrides:
isAccessAllowed
in classAuthenticationFilter
- Parameters:
request
- the incomingServletRequest
response
- the outgoingServletResponse
mappedValue
- the filter-specific config value mapped to this filter in the URL rules mappings.- Returns:
true
if request should be allowed access
-
isPermissive
protected boolean isPermissive(Object mappedValue)
Returnstrue
if the mappedValue contains thePERMISSIVE
qualifier.- Returns:
true
if this filter should be permissive
-
cleanup
protected void cleanup(ServletRequest request, ServletResponse response, Exception existing) throws ServletException, IOException
Overrides the default behavior to callAccessControlFilter.onAccessDenied(javax.servlet.ServletRequest, javax.servlet.ServletResponse, java.lang.Object)
and swallow the exception if the exception isUnauthenticatedException
.- Overrides:
cleanup
in classAdviceFilter
- Parameters:
request
- the incomingServletRequest
response
- the outgoingServletResponse
existing
- any exception that might have occurred while executing theFilterChain
or pre or post advice, ornull
if the pre/chain/post execution did not throw anException
.- Throws:
ServletException
- if any exception other than anIOException
is thrown.IOException
- if the pre/chain/post execution throw anIOException
-
-