Class FormAuthenticationFilter
- java.lang.Object
-
- org.apache.shiro.web.servlet.ServletContextSupport
-
- org.apache.shiro.web.servlet.AbstractFilter
-
- org.apache.shiro.web.servlet.NameableFilter
-
- org.apache.shiro.web.servlet.OncePerRequestFilter
-
- org.apache.shiro.web.servlet.AdviceFilter
-
- org.apache.shiro.web.filter.PathMatchingFilter
-
- org.apache.shiro.web.filter.AccessControlFilter
-
- org.apache.shiro.web.filter.authc.AuthenticationFilter
-
- org.apache.shiro.web.filter.authc.AuthenticatingFilter
-
- org.apache.shiro.web.filter.authc.FormAuthenticationFilter
-
- All Implemented Interfaces:
Filter
,Nameable
,PathConfigProcessor
public class FormAuthenticationFilter extends AuthenticatingFilter
Requires the requesting user to be authenticated for the request to continue, and if they are not, forces the user to login via by redirecting them to theloginUrl
you configure.This filter constructs a
UsernamePasswordToken
with the values found inusername
,password
, andrememberMe
request parameters. It then callsSubject.login(usernamePasswordToken)
, effectively automatically performing a login attempt. Note that the login attempt will only occur when theisLoginSubmission(request,response)
istrue
, which by default occurs when the request is for theloginUrl
and is a POST request.If the login attempt fails, the resulting
AuthenticationException
fully qualified class name will be set as a request attribute under thefailureKeyAttribute
key. This FQCN can be used as an i18n key or lookup mechanism to explain to the user why their login attempt failed (e.g. no account, incorrect password, etc).If you would prefer to handle the authentication validation and login in your own code, consider using the
PassThruAuthenticationFilter
instead, which allows requests to theAccessControlFilter.loginUrl
to pass through to your application's code directly.- Since:
- 0.9
- See Also:
PassThruAuthenticationFilter
-
-
Field Summary
Fields Modifier and Type Field Description static String
DEFAULT_ERROR_KEY_ATTRIBUTE_NAME
static String
DEFAULT_PASSWORD_PARAM
static String
DEFAULT_REMEMBER_ME_PARAM
static String
DEFAULT_USERNAME_PARAM
-
Fields inherited from class org.apache.shiro.web.filter.authc.AuthenticatingFilter
PERMISSIVE
-
Fields inherited from class org.apache.shiro.web.filter.authc.AuthenticationFilter
DEFAULT_SUCCESS_URL
-
Fields inherited from class org.apache.shiro.web.filter.AccessControlFilter
DEFAULT_LOGIN_URL, GET_METHOD, POST_METHOD
-
Fields inherited from class org.apache.shiro.web.filter.PathMatchingFilter
appliedPaths, pathMatcher
-
Fields inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
ALREADY_FILTERED_SUFFIX
-
Fields inherited from class org.apache.shiro.web.servlet.AbstractFilter
filterConfig
-
-
Constructor Summary
Constructors Constructor Description FormAuthenticationFilter()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected AuthenticationToken
createToken(ServletRequest request, ServletResponse response)
String
getFailureKeyAttribute()
protected String
getPassword(ServletRequest request)
String
getPasswordParam()
String
getRememberMeParam()
protected String
getUsername(ServletRequest request)
String
getUsernameParam()
protected boolean
isLoginSubmission(ServletRequest request, ServletResponse response)
This default implementation merely returnstrue
if the request is an HTTPPOST
,false
otherwise.protected boolean
isRememberMe(ServletRequest request)
Returnstrue
if "rememberMe" should be enabled for the login attempt associated with the currentrequest
,false
otherwise.protected boolean
onAccessDenied(ServletRequest request, ServletResponse response)
Processes requests where the subject was denied access as determined by theisAccessAllowed
method.protected boolean
onLoginFailure(AuthenticationToken token, AuthenticationException e, ServletRequest request, ServletResponse response)
protected boolean
onLoginSuccess(AuthenticationToken token, Subject subject, ServletRequest request, ServletResponse response)
protected void
setFailureAttribute(ServletRequest request, AuthenticationException ae)
void
setFailureKeyAttribute(String failureKeyAttribute)
void
setLoginUrl(String loginUrl)
Sets the login URL used to authenticate a user.void
setPasswordParam(String passwordParam)
Sets the request parameter name to look for when acquiring the password.void
setRememberMeParam(String rememberMeParam)
Sets the request parameter name to look for when acquiring the rememberMe boolean value.void
setUsernameParam(String usernameParam)
Sets the request parameter name to look for when acquiring the username.-
Methods inherited from class org.apache.shiro.web.filter.authc.AuthenticatingFilter
cleanup, createToken, createToken, executeLogin, getHost, isAccessAllowed, isPermissive
-
Methods inherited from class org.apache.shiro.web.filter.authc.AuthenticationFilter
getSuccessUrl, issueSuccessRedirect, setSuccessUrl
-
Methods inherited from class org.apache.shiro.web.filter.AccessControlFilter
getLoginUrl, getSubject, isLoginRequest, onAccessDenied, onPreHandle, redirectToLogin, saveRequest, saveRequestAndRedirectToLogin
-
Methods inherited from class org.apache.shiro.web.filter.PathMatchingFilter
getPathWithinApplication, isEnabled, pathsMatch, pathsMatch, preHandle, processPathConfig
-
Methods inherited from class org.apache.shiro.web.servlet.AdviceFilter
afterCompletion, doFilterInternal, executeChain, postHandle
-
Methods inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
doFilter, getAlreadyFilteredAttributeName, isEnabled, isEnabled, setEnabled, shouldNotFilter
-
Methods inherited from class org.apache.shiro.web.servlet.NameableFilter
getName, setName, toStringBuilder
-
Methods inherited from class org.apache.shiro.web.servlet.AbstractFilter
destroy, getFilterConfig, getInitParam, init, onFilterConfigSet, setFilterConfig
-
Methods inherited from class org.apache.shiro.web.servlet.ServletContextSupport
getContextAttribute, getContextInitParam, getServletContext, removeContextAttribute, setContextAttribute, setServletContext, toString
-
-
-
-
Field Detail
-
DEFAULT_ERROR_KEY_ATTRIBUTE_NAME
public static final String DEFAULT_ERROR_KEY_ATTRIBUTE_NAME
- See Also:
- Constant Field Values
-
DEFAULT_USERNAME_PARAM
public static final String DEFAULT_USERNAME_PARAM
- See Also:
- Constant Field Values
-
DEFAULT_PASSWORD_PARAM
public static final String DEFAULT_PASSWORD_PARAM
- See Also:
- Constant Field Values
-
DEFAULT_REMEMBER_ME_PARAM
public static final String DEFAULT_REMEMBER_ME_PARAM
- See Also:
- Constant Field Values
-
-
Constructor Detail
-
FormAuthenticationFilter
public FormAuthenticationFilter()
-
-
Method Detail
-
setLoginUrl
public void setLoginUrl(String loginUrl)
Description copied from class:AccessControlFilter
Sets the login URL used to authenticate a user. Most Shiro filters use this url as the location to redirect a user when the filter requires authentication. Unless overridden, theDEFAULT_LOGIN_URL
is assumed.- Overrides:
setLoginUrl
in classAccessControlFilter
- Parameters:
loginUrl
- the login URL used to authenticate a user, used when redirecting users if authentication is required.
-
getUsernameParam
public String getUsernameParam()
-
setUsernameParam
public void setUsernameParam(String usernameParam)
Sets the request parameter name to look for when acquiring the username. Unless overridden by calling this method, the default isusername
.- Parameters:
usernameParam
- the name of the request param to check for acquiring the username.
-
getPasswordParam
public String getPasswordParam()
-
setPasswordParam
public void setPasswordParam(String passwordParam)
Sets the request parameter name to look for when acquiring the password. Unless overridden by calling this method, the default ispassword
.- Parameters:
passwordParam
- the name of the request param to check for acquiring the password.
-
getRememberMeParam
public String getRememberMeParam()
-
setRememberMeParam
public void setRememberMeParam(String rememberMeParam)
Sets the request parameter name to look for when acquiring the rememberMe boolean value. Unless overridden by calling this method, the default isrememberMe
. RememberMe will betrue
if the parameter value equals any of those supported byWebUtils.isTrue(request,value)
,false
otherwise.- Parameters:
rememberMeParam
- the name of the request param to check for acquiring the rememberMe boolean value.
-
getFailureKeyAttribute
public String getFailureKeyAttribute()
-
setFailureKeyAttribute
public void setFailureKeyAttribute(String failureKeyAttribute)
-
onAccessDenied
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception
Description copied from class:AccessControlFilter
Processes requests where the subject was denied access as determined by theisAccessAllowed
method.- Specified by:
onAccessDenied
in classAccessControlFilter
- Parameters:
request
- the incomingServletRequest
response
- the outgoingServletResponse
- Returns:
true
if the request should continue to be processed; false if the subclass will handle/render the response directly.- Throws:
Exception
- if there is an error processing the request.
-
isLoginSubmission
protected boolean isLoginSubmission(ServletRequest request, ServletResponse response)
This default implementation merely returnstrue
if the request is an HTTPPOST
,false
otherwise. Can be overridden by subclasses for custom login submission detection behavior.- Parameters:
request
- the incoming ServletRequestresponse
- the outgoing ServletResponse.- Returns:
true
if the request is an HTTPPOST
,false
otherwise.
-
createToken
protected AuthenticationToken createToken(ServletRequest request, ServletResponse response)
- Specified by:
createToken
in classAuthenticatingFilter
-
isRememberMe
protected boolean isRememberMe(ServletRequest request)
Description copied from class:AuthenticatingFilter
Returnstrue
if "rememberMe" should be enabled for the login attempt associated with the currentrequest
,false
otherwise. This implementation always returnsfalse
and is provided as a template hook to subclasses that supportrememberMe
logins and wish to determinerememberMe
in a custom mannner based on the currentrequest
.- Overrides:
isRememberMe
in classAuthenticatingFilter
- Parameters:
request
- the incoming ServletRequest- Returns:
true
if "rememberMe" should be enabled for the login attempt associated with the currentrequest
,false
otherwise.
-
onLoginSuccess
protected boolean onLoginSuccess(AuthenticationToken token, Subject subject, ServletRequest request, ServletResponse response) throws Exception
- Overrides:
onLoginSuccess
in classAuthenticatingFilter
- Throws:
Exception
-
onLoginFailure
protected boolean onLoginFailure(AuthenticationToken token, AuthenticationException e, ServletRequest request, ServletResponse response)
- Overrides:
onLoginFailure
in classAuthenticatingFilter
-
setFailureAttribute
protected void setFailureAttribute(ServletRequest request, AuthenticationException ae)
-
getUsername
protected String getUsername(ServletRequest request)
-
getPassword
protected String getPassword(ServletRequest request)
-
-