Class HttpMethodPermissionFilter
- java.lang.Object
-
- org.apache.shiro.web.servlet.ServletContextSupport
-
- org.apache.shiro.web.servlet.AbstractFilter
-
- org.apache.shiro.web.servlet.NameableFilter
-
- org.apache.shiro.web.servlet.OncePerRequestFilter
-
- org.apache.shiro.web.servlet.AdviceFilter
-
- org.apache.shiro.web.filter.PathMatchingFilter
-
- org.apache.shiro.web.filter.AccessControlFilter
-
- org.apache.shiro.web.filter.authz.AuthorizationFilter
-
- org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter
-
- org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter
-
- All Implemented Interfaces:
Filter
,Nameable
,PathConfigProcessor
public class HttpMethodPermissionFilter extends PermissionsAuthorizationFilter
A filter that translates an HTTP Request's Method (eg GET, POST, etc) into an corresponding action (verb) and uses that verb to construct a permission that will be checked to determine access. This Filter is primarily provided to support REST environments where the type (Method) of request translates to an action being performed on one or more resources. This paradigm works well with Shiro's concepts of using permissions for access control and can be leveraged to easily perform permission checks. This filter functions as follows:- The incoming HTTP request's Method (GET, POST, PUT, DELETE, etc) is discovered.
- The Method is translated into a more 'application friendly' verb, such as 'create', edit', 'delete', etc.
- The verb is appended to any configured permissions for the
currently matching path
. - If the current
Subject
isPermitted
to perform the resolved action, the request is allowed to continue.
/user/** = rest[user]
Then an HTTPGET
request to/user/1234
would translate to the constructed permissionuser:read
(GET is mapped to the 'read' action) and execute the permission checkSubject.isPermitted("user:read")
in order to allow the request to continue. Similarly, an HTTPPOST
to/user
would translate to the constructed permissionuser:create
(POST is mapped to the 'create' action) and execute the permission checkSubject.isPermitted("user:create")
in order to allow the request to continue.Method To Verb Mapping
The following table represents the default HTTP Method-to-action verb mapping:HTTP Method Mapped Action Example Permission Runtime Check head read perm1 perm1:read get read perm2 perm2:read put update perm3 perm3:update post create perm4 perm4:create mkcol create perm5 perm5:create options read perm6 perm6:read trace read perm7 perm7:read - Since:
- 1.0
-
-
Field Summary
-
Fields inherited from class org.apache.shiro.web.filter.AccessControlFilter
DEFAULT_LOGIN_URL, GET_METHOD, POST_METHOD
-
Fields inherited from class org.apache.shiro.web.filter.PathMatchingFilter
appliedPaths, pathMatcher
-
Fields inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
ALREADY_FILTERED_SUFFIX
-
Fields inherited from class org.apache.shiro.web.servlet.AbstractFilter
filterConfig
-
-
Constructor Summary
Constructors Constructor Description HttpMethodPermissionFilter()
Creates the filter instance with default method-to-action values in the instance'shttp method actions map
.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected String[]
buildPermissions(String[] configuredPerms, String action)
Builds a new array of permission strings based on the original argument, appending the specified action verb to each one perWildcardPermission
conventions.protected String[]
buildPermissions(HttpServletRequest request, String[] configuredPerms, String action)
Returns a collection of String permissions with which to perform a permission check to determine if the filter will allow the request to continue.protected String
getHttpMethodAction(String method)
Determines the corresponding application action that will be performed on the filtered resource based on the specified HTTP method (GET, POST, etc).protected String
getHttpMethodAction(ServletRequest request)
Determines the action (verb) attempting to be performed on the filtered resource by the current request.protected Map<String,String>
getHttpMethodActions()
Returns the HTTP Method name (key) to action verb (value) mapping used to resolve actions based on an incomingHttpServletRequest
.boolean
isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue)
Resolves an 'application friendly' action verb based on theHttpServletRequest
's method, appends that action to each configured permission (themappedValue
argument is aString[]
array), and delegates the permission check for the newly constructed permission(s) to the superclassisAccessAllowed
implementation to perform the actual permission check.-
Methods inherited from class org.apache.shiro.web.filter.authz.AuthorizationFilter
getUnauthorizedUrl, onAccessDenied, setUnauthorizedUrl
-
Methods inherited from class org.apache.shiro.web.filter.AccessControlFilter
getLoginUrl, getSubject, isLoginRequest, onAccessDenied, onPreHandle, redirectToLogin, saveRequest, saveRequestAndRedirectToLogin, setLoginUrl
-
Methods inherited from class org.apache.shiro.web.filter.PathMatchingFilter
getPathWithinApplication, isEnabled, pathsMatch, pathsMatch, preHandle, processPathConfig
-
Methods inherited from class org.apache.shiro.web.servlet.AdviceFilter
afterCompletion, cleanup, doFilterInternal, executeChain, postHandle
-
Methods inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
doFilter, getAlreadyFilteredAttributeName, isEnabled, isEnabled, setEnabled, shouldNotFilter
-
Methods inherited from class org.apache.shiro.web.servlet.NameableFilter
getName, setName, toStringBuilder
-
Methods inherited from class org.apache.shiro.web.servlet.AbstractFilter
destroy, getFilterConfig, getInitParam, init, onFilterConfigSet, setFilterConfig
-
Methods inherited from class org.apache.shiro.web.servlet.ServletContextSupport
getContextAttribute, getContextInitParam, getServletContext, removeContextAttribute, setContextAttribute, setServletContext, toString
-
-
-
-
Constructor Detail
-
HttpMethodPermissionFilter
public HttpMethodPermissionFilter()
Creates the filter instance with default method-to-action values in the instance'shttp method actions map
.
-
-
Method Detail
-
getHttpMethodActions
protected Map<String,String> getHttpMethodActions()
Returns the HTTP Method name (key) to action verb (value) mapping used to resolve actions based on an incomingHttpServletRequest
. All keys and values are lower-case. The default key/value pairs are defined in the top class-level JavaDoc.- Returns:
- the HTTP Method lower-case name (key) to lower-case action verb (value) mapping
-
getHttpMethodAction
protected String getHttpMethodAction(ServletRequest request)
Determines the action (verb) attempting to be performed on the filtered resource by the current request. This implementation expects the incoming request to be anHttpServletRequest
and returns a mapped action based on the HTTP requestmethod
.- Parameters:
request
- to pull the method from.- Returns:
- The string equivalent verb of the http method.
-
getHttpMethodAction
protected String getHttpMethodAction(String method)
Determines the corresponding application action that will be performed on the filtered resource based on the specified HTTP method (GET, POST, etc).- Parameters:
method
- to be translated into the verb.- Returns:
- The string equivalent verb of the method.
-
buildPermissions
protected String[] buildPermissions(HttpServletRequest request, String[] configuredPerms, String action)
Returns a collection of String permissions with which to perform a permission check to determine if the filter will allow the request to continue. This implementation merely delegates tobuildPermissions(String[], String)
and ignores the inbound HTTP servlet request, but it can be overridden by subclasses for more complex request-specific building logic if necessary.- Parameters:
request
- the inbound HTTP request - ignored in this implementation, but available to subclasses for more complex construction building logic if necessaryconfiguredPerms
- any url-specific permissions mapped to this filter in the URL rules mappings.action
- the application-friendly action (verb) resolved based on the HTTP Method name.- Returns:
- a collection of String permissions with which to perform a permission check to determine if the filter will allow the request to continue.
-
buildPermissions
protected String[] buildPermissions(String[] configuredPerms, String action)
Builds a new array of permission strings based on the original argument, appending the specified action verb to each one perWildcardPermission
conventions. The built permission strings will be the ones used at runtime during the permission check that determines if filter access should be allowed to continue or not. For example, if theconfiguredPerms
argument contains the following 3 permission strings:- permission:one
- permission:two
- permission:three
read
, then the return value will be:- permission:one:read
- permission:two:read
- permission:three:read
WildcardPermission
conventions. Subclasses are of course free to override this method or thebuildPermissions
request variant for custom building logic or with different permission formats.- Parameters:
configuredPerms
- list of configuredPerms to be converted.action
- the resolved action based on the request method to be appended to permission strings.- Returns:
- an array of permission strings with each element appended with the action.
-
isAccessAllowed
public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws IOException
Resolves an 'application friendly' action verb based on theHttpServletRequest
's method, appends that action to each configured permission (themappedValue
argument is aString[]
array), and delegates the permission check for the newly constructed permission(s) to the superclassisAccessAllowed
implementation to perform the actual permission check.- Overrides:
isAccessAllowed
in classPermissionsAuthorizationFilter
- Parameters:
request
- the inboundServletRequest
response
- the outboundServletResponse
mappedValue
- the filter-specific config value mapped to this filter in the URL rules mappings.- Returns:
true
if the request should proceed through the filter normally,false
if the request should be processed by this filter'sAccessControlFilter.onAccessDenied(ServletRequest,ServletResponse,Object)
method instead.- Throws:
IOException
-
-