Package org.apache.shiro.web.filter.authz

Class HttpMethodPermissionFilter

  • All Implemented Interfaces:
    Filter, Nameable, PathConfigProcessor
    public class HttpMethodPermissionFilter
extends PermissionsAuthorizationFilter
    A filter that translates an HTTP Request's Method (eg GET, POST, etc) into an corresponding action (verb) and uses that verb to construct a permission that will be checked to determine access.

    This Filter is primarily provided to support REST environments where the type (Method) of request translates to an action being performed on one or more resources. This paradigm works well with Shiro's concepts of using permissions for access control and can be leveraged to easily perform permission checks.

    This filter functions as follows:

    1. The incoming HTTP request's Method (GET, POST, PUT, DELETE, etc) is discovered.
    2. The Method is translated into a more 'application friendly' verb, such as 'create', edit', 'delete', etc.
    3. The verb is appended to any configured permissions for the currently matching path.
    4. If the current Subject isPermitted to perform the resolved action, the request is allowed to continue.

    For example, if the following filter chain was defined, where 'rest' was the name given to a filter instance of this class: 

     /user/** = rest[user]
    Then an HTTP GET request to /user/1234 would translate to the constructed permission user:read (GET is mapped to the 'read' action) and execute the permission check Subject.isPermitted("user:read") in order to allow the request to continue.

    Similarly, an HTTP POST to /user would translate to the constructed permission user:create (POST is mapped to the 'create' action) and execute the permission check Subject.isPermitted("user:create") in order to allow the request to continue.

    Method To Verb Mapping

    The following table represents the default HTTP Method-to-action verb mapping:
    HTTP MethodMapped ActionExample PermissionRuntime Check
    headreadperm1perm1:read
    getreadperm2perm2:read
    putupdateperm3perm3:update
    postcreateperm4perm4:create
    mkcolcreateperm5perm5:create
    optionsreadperm6perm6:read
    tracereadperm7perm7:read
    Since:
    1.0

    • Method Detail

      • getHttpMethodActions

        protected Map<String,​StringgetHttpMethodActions()
        Returns the HTTP Method name (key) to action verb (value) mapping used to resolve actions based on an incoming HttpServletRequest. All keys and values are lower-case. The default key/value pairs are defined in the top class-level JavaDoc.
        Returns:
        the HTTP Method lower-case name (key) to lower-case action verb (value) mapping

      • getHttpMethodAction

        protected String getHttpMethodAction​(ServletRequest request)
        Determines the action (verb) attempting to be performed on the filtered resource by the current request.

        This implementation expects the incoming request to be an HttpServletRequest and returns a mapped action based on the HTTP request method.

        Parameters:
        request - to pull the method from.
        Returns:
        The string equivalent verb of the http method.

      • getHttpMethodAction

        protected String getHttpMethodAction​(String method)
        Determines the corresponding application action that will be performed on the filtered resource based on the specified HTTP method (GET, POST, etc).
        Parameters:
        method - to be translated into the verb.
        Returns:
        The string equivalent verb of the method.

      • buildPermissions

        protected String[] buildPermissions​(HttpServletRequest request,
                                    String[] configuredPerms,
                                    String action)
        Returns a collection of String permissions with which to perform a permission check to determine if the filter will allow the request to continue.

        This implementation merely delegates to buildPermissions(String[], String) and ignores the inbound HTTP servlet request, but it can be overridden by subclasses for more complex request-specific building logic if necessary.

        Parameters:
        request - the inbound HTTP request - ignored in this implementation, but available to subclasses for more complex construction building logic if necessary
        configuredPerms - any url-specific permissions mapped to this filter in the URL rules mappings.
        action - the application-friendly action (verb) resolved based on the HTTP Method name.
        Returns:
        a collection of String permissions with which to perform a permission check to determine if the filter will allow the request to continue.

      • buildPermissions

        protected String[] buildPermissions​(String[] configuredPerms,
                                    String action)
        Builds a new array of permission strings based on the original argument, appending the specified action verb to each one per WildcardPermission conventions. The built permission strings will be the ones used at runtime during the permission check that determines if filter access should be allowed to continue or not.

        For example, if the configuredPerms argument contains the following 3 permission strings:

        1. permission:one
        2. permission:two
        3. permission:three
        And the action is read, then the return value will be:
        1. permission:one:read
        2. permission:two:read
        3. permission:three:read
        per WildcardPermission conventions. Subclasses are of course free to override this method or the buildPermissions request variant for custom building logic or with different permission formats.
        Parameters:
        configuredPerms - list of configuredPerms to be converted.
        action - the resolved action based on the request method to be appended to permission strings.
        Returns:
        an array of permission strings with each element appended with the action.