Class SslFilter
- java.lang.Object
-
- All Implemented Interfaces:
Filter
,Nameable
,PathConfigProcessor
public class SslFilter extends PortFilter
Filter which requires a request to be over SSL. Access is allowed if the request is received on the configured serverport
and therequest.
isSecure()
. If either condition isfalse
, the filter chain will not continue. Theport
property defaults to443
and also additionally guarantees that the request scheme is always 'https' (except for port 80, which retains the 'http' scheme). In addition the filter allows enabling HTTP Strict Transport Security (HSTS). This feature is opt-in and disabled by default. If enabled HSTS will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. ThemaxAge
property defaults31536000
, andincludeSubDomains
isfalse
. Warning: Use this setting with care and only if you plan to enable SSL on every path. Example configs:[urls] /secure/path/** = ssl
with HSTS enabled[main] ssl.hsts.enabled = true [urls] /** = ssl
- Since:
- 1.0
- See Also:
- HTTP Strict Transport Security (HSTS)
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description class
SslFilter.HSTS
Helper class for HTTP Strict Transport Security (HSTS)
-
Field Summary
Fields Modifier and Type Field Description static int
DEFAULT_HTTPS_PORT
static String
HTTPS_SCHEME
-
Fields inherited from class org.apache.shiro.web.filter.authz.PortFilter
DEFAULT_HTTP_PORT, HTTP_SCHEME
-
Fields inherited from class org.apache.shiro.web.filter.AccessControlFilter
DEFAULT_LOGIN_URL, GET_METHOD, POST_METHOD
-
Fields inherited from class org.apache.shiro.web.filter.PathMatchingFilter
appliedPaths, pathMatcher
-
Fields inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
ALREADY_FILTERED_SUFFIX
-
Fields inherited from class org.apache.shiro.web.servlet.AbstractFilter
filterConfig
-
-
Constructor Summary
Constructors Constructor Description SslFilter()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description SslFilter.HSTS
getHsts()
protected String
getScheme(String requestScheme, int port)
protected boolean
isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue)
Retains the parent method's port-matching behavior but additionally guarantees that theServletRequest.
isSecure()
.protected void
postHandle(ServletRequest request, ServletResponse response)
If HTTP Strict Transport Security (HSTS) is enabled the HTTP header will be written, otherwise this method does nothing.void
setHsts(SslFilter.HSTS hsts)
-
Methods inherited from class org.apache.shiro.web.filter.authz.PortFilter
getPort, onAccessDenied, setPort, toPort
-
Methods inherited from class org.apache.shiro.web.filter.authz.AuthorizationFilter
getUnauthorizedUrl, onAccessDenied, setUnauthorizedUrl
-
Methods inherited from class org.apache.shiro.web.filter.AccessControlFilter
getLoginUrl, getSubject, isLoginRequest, onPreHandle, redirectToLogin, saveRequest, saveRequestAndRedirectToLogin, setLoginUrl
-
Methods inherited from class org.apache.shiro.web.filter.PathMatchingFilter
getPathWithinApplication, isEnabled, pathsMatch, pathsMatch, preHandle, processPathConfig
-
Methods inherited from class org.apache.shiro.web.servlet.AdviceFilter
afterCompletion, cleanup, doFilterInternal, executeChain
-
Methods inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
doFilter, getAlreadyFilteredAttributeName, isEnabled, isEnabled, setEnabled, shouldNotFilter
-
Methods inherited from class org.apache.shiro.web.servlet.NameableFilter
getName, setName, toStringBuilder
-
Methods inherited from class org.apache.shiro.web.servlet.AbstractFilter
destroy, getFilterConfig, getInitParam, init, onFilterConfigSet, setFilterConfig
-
Methods inherited from class org.apache.shiro.web.servlet.ServletContextSupport
getContextAttribute, getContextInitParam, getServletContext, removeContextAttribute, setContextAttribute, setServletContext, toString
-
-
-
-
Field Detail
-
DEFAULT_HTTPS_PORT
public static final int DEFAULT_HTTPS_PORT
- See Also:
- Constant Field Values
-
HTTPS_SCHEME
public static final String HTTPS_SCHEME
- See Also:
- Constant Field Values
-
-
Constructor Detail
-
SslFilter
public SslFilter()
-
-
Method Detail
-
getHsts
public SslFilter.HSTS getHsts()
-
setHsts
public void setHsts(SslFilter.HSTS hsts)
-
getScheme
protected String getScheme(String requestScheme, int port)
- Overrides:
getScheme
in classPortFilter
-
isAccessAllowed
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception
Retains the parent method's port-matching behavior but additionally guarantees that theServletRequest.
isSecure()
. If the port does not match or the request is not secure, access is denied.- Overrides:
isAccessAllowed
in classPortFilter
- Parameters:
request
- the incomingServletRequest
response
- the outgoingServletResponse
- ignored in this implementationmappedValue
- the filter-specific config value mapped to this filter in the URL rules mappings - ignored by this implementation.- Returns:
true
if the request is received on an expected SSL port and therequest.
isSecure()
,false
otherwise.- Throws:
Exception
- if the call tosuper.isAccessAllowed
throws an exception.- Since:
- 1.2
-
postHandle
protected void postHandle(ServletRequest request, ServletResponse response)
If HTTP Strict Transport Security (HSTS) is enabled the HTTP header will be written, otherwise this method does nothing.- Overrides:
postHandle
in classAdviceFilter
- Parameters:
request
- the incomingServletRequest
response
- the outgoingServletResponse
-
-