Class BearerHttpAuthenticationFilter
- java.lang.Object
-
- org.apache.shiro.web.servlet.ServletContextSupport
-
- org.apache.shiro.web.servlet.AbstractFilter
-
- org.apache.shiro.web.servlet.NameableFilter
-
- org.apache.shiro.web.servlet.OncePerRequestFilter
-
- org.apache.shiro.web.servlet.AdviceFilter
-
- org.apache.shiro.web.filter.PathMatchingFilter
-
- org.apache.shiro.web.filter.AccessControlFilter
-
- org.apache.shiro.web.filter.authc.AuthenticationFilter
-
- org.apache.shiro.web.filter.authc.AuthenticatingFilter
-
- org.apache.shiro.web.filter.authc.BearerHttpAuthenticationFilter
-
- All Implemented Interfaces:
Filter
,Nameable
,PathConfigProcessor
public class BearerHttpAuthenticationFilter extends AuthenticatingFilter
Requires the requesting user to beauthenticated
for the request to continue, and if they're not, requires the user to login via the HTTP Bearer protocol-specific challenge. Upon successful login, they're allowed to continue on to the requested resource/url. TheAccessControlFilter.onAccessDenied(ServletRequest, ServletResponse)
method will only be called if the subject making the request is notauthenticated
- Since:
- 1.5
- See Also:
- RFC 2617, OAuth2 Authorization Request Header Field
-
-
Field Summary
Fields Modifier and Type Field Description protected static String
AUTHENTICATE_HEADER
HTTP Authentication header, equal toWWW-Authenticate
protected static String
AUTHORIZATION_HEADER
HTTP Authorization header, equal toAuthorization
-
Fields inherited from class org.apache.shiro.web.filter.authc.AuthenticatingFilter
PERMISSIVE
-
Fields inherited from class org.apache.shiro.web.filter.authc.AuthenticationFilter
DEFAULT_SUCCESS_URL
-
Fields inherited from class org.apache.shiro.web.filter.AccessControlFilter
DEFAULT_LOGIN_URL, GET_METHOD, POST_METHOD
-
Fields inherited from class org.apache.shiro.web.filter.PathMatchingFilter
appliedPaths, pathMatcher
-
Fields inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
ALREADY_FILTERED_SUFFIX
-
Fields inherited from class org.apache.shiro.web.servlet.AbstractFilter
filterConfig
-
-
Constructor Summary
Constructors Constructor Description BearerHttpAuthenticationFilter()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected AuthenticationToken
createBearerToken(String token, ServletRequest request)
protected AuthenticationToken
createToken(ServletRequest request, ServletResponse response)
Creates an AuthenticationToken for use during login attempt with the provided credentials in the http header.String
getApplicationName()
Returns the name to use in the ServletResponse'sWWW-Authenticate
header.String
getAuthcScheme()
Returns the HTTPWWW-Authenticate
header scheme that this filter will use when sending the HTTP Basic challenge response.protected String
getAuthzHeader(ServletRequest request)
Returns theAUTHORIZATION_HEADER
from the specified ServletRequest.String
getAuthzScheme()
Returns the HTTPAuthorization
header value that this filter will respond to as indicating a login request.protected String[]
getPrincipalsAndCredentials(String scheme, String token)
protected String[]
getPrincipalsAndCredentials(String authorizationHeader, ServletRequest request)
Returns the username obtained from theauthorizationHeader
.protected boolean
isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue)
The Basic authentication filter can be configured with a list of HTTP methods to which it should apply.protected boolean
isLoginAttempt(String authzHeader)
Default implementation that returnstrue
if the specifiedauthzHeader
starts with the same (case-insensitive) characters specified by theauthzScheme
,false
otherwise.protected boolean
isLoginAttempt(ServletRequest request, ServletResponse response)
Determines whether the incoming request is an attempt to log in.protected boolean
isLoginRequest(ServletRequest request, ServletResponse response)
Delegates toisLoginAttempt
.protected boolean
onAccessDenied(ServletRequest request, ServletResponse response)
Processes unauthenticated requests.protected boolean
sendChallenge(ServletRequest request, ServletResponse response)
Builds the challenge for authorization by setting a HTTP401
(Unauthorized) status as well as the response'sAUTHENTICATE_HEADER
.void
setApplicationName(String applicationName)
Sets the name to use in the ServletResponse'sWWW-Authenticate
header.void
setAuthcScheme(String authcScheme)
Sets the HTTPWWW-Authenticate
header scheme that this filter will use when sending the HTTP Basic challenge response.void
setAuthzScheme(String authzScheme)
Sets the HTTPAuthorization
header value that this filter will respond to as indicating a login request.-
Methods inherited from class org.apache.shiro.web.filter.authc.AuthenticatingFilter
cleanup, createToken, createToken, executeLogin, getHost, isPermissive, isRememberMe, onLoginFailure, onLoginSuccess
-
Methods inherited from class org.apache.shiro.web.filter.authc.AuthenticationFilter
getSuccessUrl, issueSuccessRedirect, setSuccessUrl
-
Methods inherited from class org.apache.shiro.web.filter.AccessControlFilter
getLoginUrl, getSubject, onAccessDenied, onPreHandle, redirectToLogin, saveRequest, saveRequestAndRedirectToLogin, setLoginUrl
-
Methods inherited from class org.apache.shiro.web.filter.PathMatchingFilter
getPathWithinApplication, isEnabled, pathsMatch, pathsMatch, preHandle, processPathConfig
-
Methods inherited from class org.apache.shiro.web.servlet.AdviceFilter
afterCompletion, doFilterInternal, executeChain, postHandle
-
Methods inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
doFilter, getAlreadyFilteredAttributeName, isEnabled, isEnabled, setEnabled, shouldNotFilter
-
Methods inherited from class org.apache.shiro.web.servlet.NameableFilter
getName, setName, toStringBuilder
-
Methods inherited from class org.apache.shiro.web.servlet.AbstractFilter
destroy, getFilterConfig, getInitParam, init, onFilterConfigSet, setFilterConfig
-
Methods inherited from class org.apache.shiro.web.servlet.ServletContextSupport
getContextAttribute, getContextInitParam, getServletContext, removeContextAttribute, setContextAttribute, setServletContext, toString
-
-
-
-
Field Detail
-
AUTHORIZATION_HEADER
protected static final String AUTHORIZATION_HEADER
HTTP Authorization header, equal toAuthorization
- See Also:
- Constant Field Values
-
AUTHENTICATE_HEADER
protected static final String AUTHENTICATE_HEADER
HTTP Authentication header, equal toWWW-Authenticate
- See Also:
- Constant Field Values
-
-
Constructor Detail
-
BearerHttpAuthenticationFilter
public BearerHttpAuthenticationFilter()
-
-
Method Detail
-
createToken
protected AuthenticationToken createToken(ServletRequest request, ServletResponse response)
Creates an AuthenticationToken for use during login attempt with the provided credentials in the http header. This implementation:- acquires the username and password based on the request's
authorization header
via thegetPrincipalsAndCredentials
method - The return value of that method is converted to an
AuthenticationToken
via thecreateToken
method - The created
AuthenticationToken
is returned.
- Parameters:
request
- incoming ServletRequestresponse
- outgoing ServletResponse- Returns:
- the AuthenticationToken used to execute the login attempt
- acquires the username and password based on the request's
-
getPrincipalsAndCredentials
protected String[] getPrincipalsAndCredentials(String scheme, String token)
-
createBearerToken
protected AuthenticationToken createBearerToken(String token, ServletRequest request)
-
getApplicationName
public String getApplicationName()
Returns the name to use in the ServletResponse'sWWW-Authenticate
header. Per RFC 2617, this name name is displayed to the end user when they are asked to authenticate. Unless overridden by thesetApplicationName(String)
method, the default value is 'application'. Please seesetApplicationName(String)
for an example of how this functions.- Returns:
- the name to use in the ServletResponse's 'WWW-Authenticate' header.
-
setApplicationName
public void setApplicationName(String applicationName)
Sets the name to use in the ServletResponse'sWWW-Authenticate
header. Per RFC 2617, this name name is displayed to the end user when they are asked to authenticate. Unless overridden by this method, the default value is "application" For example, setting this property to the valueAwesome Webapp
will result in the following header:WWW-Authenticate: Basic realm="Awesome Webapp"
Side note: As you can see from the header text, the HTTP Basic specification calls this the authentication 'realm', but we call this the 'applicationName' instead to avoid confusion with Shiro's Realm constructs.- Parameters:
applicationName
- the name to use in the ServletResponse's 'WWW-Authenticate' header.
-
getAuthzScheme
public String getAuthzScheme()
Returns the HTTPAuthorization
header value that this filter will respond to as indicating a login request. Unless overridden by thesetAuthzScheme(String)
method, the default value isBASIC
.- Returns:
- the Http 'Authorization' header value that this filter will respond to as indicating a login request
-
setAuthzScheme
public void setAuthzScheme(String authzScheme)
Sets the HTTPAuthorization
header value that this filter will respond to as indicating a login request. Unless overridden by this method, the default value isBASIC
- Parameters:
authzScheme
- the HTTPAuthorization
header value that this filter will respond to as indicating a login request.
-
getAuthcScheme
public String getAuthcScheme()
Returns the HTTPWWW-Authenticate
header scheme that this filter will use when sending the HTTP Basic challenge response. The default value isBASIC
.- Returns:
- the HTTP
WWW-Authenticate
header scheme that this filter will use when sending the HTTP Basic challenge response. - See Also:
sendChallenge(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
-
setAuthcScheme
public void setAuthcScheme(String authcScheme)
Sets the HTTPWWW-Authenticate
header scheme that this filter will use when sending the HTTP Basic challenge response. The default value isBASIC
.- Parameters:
authcScheme
- the HTTPWWW-Authenticate
header scheme that this filter will use when sending the Http Basic challenge response.- See Also:
sendChallenge(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
-
isAccessAllowed
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue)
The Basic authentication filter can be configured with a list of HTTP methods to which it should apply. This method ensures that authentication is only required for those HTTP methods specified. For example, if you had the configuration:[urls] /basic/** = authcBasic[POST,PUT,DELETE]
then a GET request would not required authentication but a POST would.- Overrides:
isAccessAllowed
in classAuthenticatingFilter
- Parameters:
request
- The current HTTP servlet request.response
- The current HTTP servlet response.mappedValue
- The array of configured HTTP methods as strings. This is empty if no methods are configured.- Returns:
true
if request should be allowed access
-
onAccessDenied
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception
Processes unauthenticated requests. It handles the two-stage request/challenge authentication protocol.- Specified by:
onAccessDenied
in classAccessControlFilter
- Parameters:
request
- incoming ServletRequestresponse
- outgoing ServletResponse- Returns:
- true if the request should be processed; false if the request should not continue to be processed
- Throws:
Exception
- if there is an error processing the request.
-
isLoginAttempt
protected boolean isLoginAttempt(ServletRequest request, ServletResponse response)
Determines whether the incoming request is an attempt to log in. The default implementation obtains the value of the request'sAUTHORIZATION_HEADER
, and if it is notnull
, delegates toisLoginAttempt(authzHeaderValue)
. If the header isnull
,false
is returned.- Parameters:
request
- incoming ServletRequestresponse
- outgoing ServletResponse- Returns:
- true if the incoming request is an attempt to log in based, false otherwise
-
isLoginRequest
protected final boolean isLoginRequest(ServletRequest request, ServletResponse response)
Delegates toisLoginAttempt
.- Overrides:
isLoginRequest
in classAccessControlFilter
- Parameters:
request
- the incomingServletRequest
response
- the outgoingServletResponse
- Returns:
true
if the incoming request is a login request,false
otherwise.
-
getAuthzHeader
protected String getAuthzHeader(ServletRequest request)
Returns theAUTHORIZATION_HEADER
from the specified ServletRequest. This implementation merely casts the request to anHttpServletRequest
and returns the header:HttpServletRequest httpRequest =
toHttp(reaquest)
;
return httpRequest.getHeader(AUTHORIZATION_HEADER
);- Parameters:
request
- the incomingServletRequest
- Returns:
- the
Authorization
header's value.
-
isLoginAttempt
protected boolean isLoginAttempt(String authzHeader)
Default implementation that returnstrue
if the specifiedauthzHeader
starts with the same (case-insensitive) characters specified by theauthzScheme
,false
otherwise. That is:String authzScheme = getAuthzScheme().toLowerCase();
return authzHeader.toLowerCase().startsWith(authzScheme);- Parameters:
authzHeader
- the 'Authorization' header value (guaranteed to be non-null if theisLoginAttempt(ServletRequest, ServletResponse)
method is not overriden).- Returns:
true
if the authzHeader value matches that configured as defined by theauthzScheme
.
-
sendChallenge
protected boolean sendChallenge(ServletRequest request, ServletResponse response)
Builds the challenge for authorization by setting a HTTP401
(Unauthorized) status as well as the response'sAUTHENTICATE_HEADER
. The header value constructed is equal to:getAuthcScheme()
+ " realm=\"" +getApplicationName()
+ "\"";- Parameters:
request
- incoming ServletRequest, ignored by this implementationresponse
- outgoing ServletResponse- Returns:
- false - this sends the challenge to be sent back
-
getPrincipalsAndCredentials
protected String[] getPrincipalsAndCredentials(String authorizationHeader, ServletRequest request)
Returns the username obtained from theauthorizationHeader
. Once theauthzHeader
is split per the RFC (based on the space character ' '), the resulting split tokens are translated into the username/password pair by thegetPrincipalsAndCredentials(scheme,encoded)
method.- Parameters:
authorizationHeader
- the authorization header obtained from the request.request
- the incoming ServletRequest- Returns:
- the username (index 0)/password pair (index 1) submitted by the user for the given header value and request.
- See Also:
getAuthzHeader(ServletRequest)
-
-