Class AuthorizationFilter
- java.lang.Object
-
- org.apache.shiro.web.servlet.ServletContextSupport
-
- org.apache.shiro.web.servlet.AbstractFilter
-
- org.apache.shiro.web.servlet.NameableFilter
-
- org.apache.shiro.web.servlet.OncePerRequestFilter
-
- org.apache.shiro.web.servlet.AdviceFilter
-
- org.apache.shiro.web.filter.PathMatchingFilter
-
- org.apache.shiro.web.filter.AccessControlFilter
-
- org.apache.shiro.web.filter.authz.AuthorizationFilter
-
- All Implemented Interfaces:
Filter
,Nameable
,PathConfigProcessor
- Direct Known Subclasses:
HostFilter
,PermissionsAuthorizationFilter
,PortFilter
,RolesAuthorizationFilter
public abstract class AuthorizationFilter extends AccessControlFilter
Superclass for authorization-related filters. If an request is unauthorized, response handling is delegated to theonAccessDenied
method, which provides reasonable handling for most applications.- Since:
- 0.9
- See Also:
onAccessDenied(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
-
-
Field Summary
-
Fields inherited from class org.apache.shiro.web.filter.AccessControlFilter
DEFAULT_LOGIN_URL, GET_METHOD, POST_METHOD
-
Fields inherited from class org.apache.shiro.web.filter.PathMatchingFilter
appliedPaths, pathMatcher
-
Fields inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
ALREADY_FILTERED_SUFFIX
-
Fields inherited from class org.apache.shiro.web.servlet.AbstractFilter
filterConfig
-
-
Constructor Summary
Constructors Constructor Description AuthorizationFilter()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description String
getUnauthorizedUrl()
Returns the URL to which users should be redirected if they are denied access to an underlying path or resource, ornull
if a rawHttpServletResponse.SC_UNAUTHORIZED
response should be issued (401 Unauthorized).protected boolean
onAccessDenied(ServletRequest request, ServletResponse response)
Handles the response when access has been denied.void
setUnauthorizedUrl(String unauthorizedUrl)
Sets the URL to which users should be redirected if they are denied access to an underlying path or resource.-
Methods inherited from class org.apache.shiro.web.filter.AccessControlFilter
getLoginUrl, getSubject, isAccessAllowed, isLoginRequest, onAccessDenied, onPreHandle, redirectToLogin, saveRequest, saveRequestAndRedirectToLogin, setLoginUrl
-
Methods inherited from class org.apache.shiro.web.filter.PathMatchingFilter
getPathWithinApplication, isEnabled, pathsMatch, pathsMatch, preHandle, processPathConfig
-
Methods inherited from class org.apache.shiro.web.servlet.AdviceFilter
afterCompletion, cleanup, doFilterInternal, executeChain, postHandle
-
Methods inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
doFilter, getAlreadyFilteredAttributeName, isEnabled, isEnabled, setEnabled, shouldNotFilter
-
Methods inherited from class org.apache.shiro.web.servlet.NameableFilter
getName, setName, toStringBuilder
-
Methods inherited from class org.apache.shiro.web.servlet.AbstractFilter
destroy, getFilterConfig, getInitParam, init, onFilterConfigSet, setFilterConfig
-
Methods inherited from class org.apache.shiro.web.servlet.ServletContextSupport
getContextAttribute, getContextInitParam, getServletContext, removeContextAttribute, setContextAttribute, setServletContext, toString
-
-
-
-
Constructor Detail
-
AuthorizationFilter
public AuthorizationFilter()
-
-
Method Detail
-
getUnauthorizedUrl
public String getUnauthorizedUrl()
Returns the URL to which users should be redirected if they are denied access to an underlying path or resource, ornull
if a rawHttpServletResponse.SC_UNAUTHORIZED
response should be issued (401 Unauthorized). The default isnull
, ensuring default web server behavior. Override this default by calling thesetUnauthorizedUrl
method with a meaningful path within your application if you would like to show the user a 'nice' page in the event of unauthorized access.- Returns:
- the URL to which users should be redirected if they are denied access to an underlying path or resource,
or
null
if a rawHttpServletResponse.SC_UNAUTHORIZED
response should be issued (401 Unauthorized).
-
setUnauthorizedUrl
public void setUnauthorizedUrl(String unauthorizedUrl)
Sets the URL to which users should be redirected if they are denied access to an underlying path or resource. If the value isnull
a rawHttpServletResponse.SC_UNAUTHORIZED
response will be issued (401 Unauthorized), retaining default web server behavior. Unless overridden by calling this method, the default value isnull
. If desired, you can specify a meaningful path within your application if you would like to show the user a 'nice' page in the event of unauthorized access.- Parameters:
unauthorizedUrl
- the URL to which users should be redirected if they are denied access to an underlying path or resource, ornull
to a ensure rawHttpServletResponse.SC_UNAUTHORIZED
response is issued (401 Unauthorized).
-
onAccessDenied
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws IOException
Handles the response when access has been denied. It behaves as follows:- If the
Subject
is unknown[1]:- The incoming request will be saved and they will be redirected to the login page for authentication
(via the
AccessControlFilter.saveRequestAndRedirectToLogin(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
method). - Once successfully authenticated, they will be redirected back to the originally attempted page.
- The incoming request will be saved and they will be redirected to the login page for authentication
(via the
- If the Subject is known:
- The HTTP
HttpServletResponse.SC_UNAUTHORIZED
header will be set (401 Unauthorized) - If the
unauthorizedUrl
has been configured, a redirect will be issued to that URL. Otherwise the 401 response is rendered normally
[1]
: ASubject
is 'known' whensubject.
is notgetPrincipal()
null
, which implicitly means that the subject is either currently authenticated or they have been remembered via 'remember me' services.- Specified by:
onAccessDenied
in classAccessControlFilter
- Parameters:
request
- the incomingServletRequest
response
- the outgoingServletResponse
- Returns:
false
always for this implementation.- Throws:
IOException
- if there is any servlet error.
- If the
-
-