AbstractShiroFilter (Apache Shiro

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.apache.shiro.web.servlet
Class AbstractShiroFilter

java.lang.Object
  org.apache.shiro.web.servlet.ServletContextSupport
      org.apache.shiro.web.servlet.AbstractFilter
          org.apache.shiro.web.servlet.NameableFilter
              org.apache.shiro.web.servlet.OncePerRequestFilter
                  org.apache.shiro.web.servlet.AbstractShiroFilter

All Implemented Interfaces:: Filter, Nameable

Direct Known Subclasses:: IniShiroFilter

public abstract class AbstractShiroFilter
extends OncePerRequestFilter
extends OncePerRequestFilter

Abstract base class that provides all standard Shiro request filtering behavior and expects subclasses to implement configuration-specific logic (INI, XML, .properties, etc).

Subclasses should perform configuration and construction logic in an overridden init() method implementation. That implementation should make available any constructed SecurityManager and FilterChainResolver by calling setSecurityManager(org.apache.shiro.web.mgt.WebSecurityManager) and setFilterChainResolver(org.apache.shiro.web.filter.mgt.FilterChainResolver) methods respectively.

Since:: 1.0

Field Summary

Fields inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
`ALREADY_FILTERED_SUFFIX`

Fields inherited from class org.apache.shiro.web.servlet.AbstractFilter
`filterConfig`

Constructor Summary
`protected`	`AbstractShiroFilter()`

Method Summary
`protected WebSecurityManager`	`createDefaultSecurityManager()`
`protected WebSubject`	`createSubject(ServletRequest request, ServletResponse response)` Creates a `WebSubject` instance to associate with the incoming request/response pair which will be used throughout the request/response execution.
`protected void`	`doFilterInternal(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain)` `doFilterInternal` implementation that sets-up, executes, and cleans-up a Shiro-filtered request.
`protected void`	`executeChain(ServletRequest request, ServletResponse response, FilterChain origChain)` Executes a `FilterChain` for the given request.
`protected FilterChain`	`getExecutionChain(ServletRequest request, ServletResponse response, FilterChain origChain)` Returns the `FilterChain` to execute for the given request.
`FilterChainResolver`	`getFilterChainResolver()`
`WebSecurityManager`	`getSecurityManager()`
`void`	`init()`
`protected boolean`	`isHttpSessions()`
`protected void`	`onFilterConfigSet()` Template method to be overridden by subclasses to perform initialization logic at start-up.
`protected ServletRequest`	`prepareServletRequest(ServletRequest request, ServletResponse response, FilterChain chain)` Prepares the `ServletRequest` instance that will be passed to the `FilterChain` for request processing.
`protected ServletResponse`	`prepareServletResponse(ServletRequest request, ServletResponse response, FilterChain chain)` Prepares the `ServletResponse` instance that will be passed to the `FilterChain` for request processing.
`void`	`setFilterChainResolver(FilterChainResolver filterChainResolver)`
`void`	`setSecurityManager(WebSecurityManager sm)`
`protected void`	`updateSessionLastAccessTime(ServletRequest request, ServletResponse response)` Updates any 'native' Session's last access time that might exist to the timestamp when this method is called.
`protected ServletRequest`	`wrapServletRequest(HttpServletRequest orig)` Wraps the original HttpServletRequest in a `ShiroHttpServletRequest`, which is required for supporting Servlet Specification behavior backed by a `Subject` instance.
`protected ServletResponse`	`wrapServletResponse(HttpServletResponse orig, ShiroHttpServletRequest request)` Returns a new `ShiroHttpServletResponse` instance, wrapping the `orig` argument, in order to provide correct URL rewriting behavior required by the Servlet Specification when using Shiro-based sessions (and not Servlet Container HTTP-based sessions).

Methods inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
`doFilter, getAlreadyFilteredAttributeName, shouldNotFilter`

Methods inherited from class org.apache.shiro.web.servlet.NameableFilter
`getName, setName, toStringBuilder`

Methods inherited from class org.apache.shiro.web.servlet.AbstractFilter
`destroy, getFilterConfig, getInitParam, init, setFilterConfig`

Methods inherited from class org.apache.shiro.web.servlet.ServletContextSupport
`getContextAttribute, getContextInitParam, getServletContext, removeContextAttribute, setContextAttribute, setServletContext, toString`

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait`

Constructor Detail

AbstractShiroFilter

protected AbstractShiroFilter()

Method Detail

getSecurityManager

public WebSecurityManager getSecurityManager()

setSecurityManager

public void setSecurityManager(WebSecurityManager sm)

getFilterChainResolver

public FilterChainResolver getFilterChainResolver()

setFilterChainResolver

public void setFilterChainResolver(FilterChainResolver filterChainResolver)

onFilterConfigSet

protected final void onFilterConfigSet()
                                throws Exception

Description copied from class: AbstractFilter

Template method to be overridden by subclasses to perform initialization logic at start-up. The ServletContext and FilterConfig will be accessible (and non-null) at the time this method is invoked via the getServletContext() and getFilterConfig() methods respectively.

init-param values may be conveniently obtained via the AbstractFilter.getInitParam(String) method.

Overrides:: onFilterConfigSet in class AbstractFilter

Throws:: Exception - if the subclass has an error upon initialization.

init

public void init()
          throws Exception

Throws:: Exception

createDefaultSecurityManager

protected WebSecurityManager createDefaultSecurityManager()

isHttpSessions

protected boolean isHttpSessions()

wrapServletRequest

protected ServletRequest wrapServletRequest(HttpServletRequest orig)

Wraps the original HttpServletRequest in a ShiroHttpServletRequest, which is required for supporting Servlet Specification behavior backed by a Subject instance.

Parameters:: orig - the original Servlet Container-provided incoming HttpServletRequest instance.
Returns:: ShiroHttpServletRequest instance wrapping the original.
Since:: 1.0

prepareServletRequest

protected ServletRequest prepareServletRequest(ServletRequest request,
                                               ServletResponse response,
                                               FilterChain chain)

Prepares the ServletRequest instance that will be passed to the FilterChain for request processing.

If the ServletRequest is an instance of HttpServletRequest, the value returned from this method is obtained by calling wrapServletRequest(javax.servlet.http.HttpServletRequest) to allow Shiro-specific HTTP behavior, otherwise the original ServletRequest argument is returned.

Parameters:: request - the incoming ServletRequest; response - the outgoing ServletResponse; chain - the Servlet Container provided FilterChain that will receive the returned request.
Returns:: the ServletRequest instance that will be passed to the FilterChain for request processing.
Since:: 1.0

wrapServletResponse

protected ServletResponse wrapServletResponse(HttpServletResponse orig,
                                              ShiroHttpServletRequest request)

Returns a new ShiroHttpServletResponse instance, wrapping the orig argument, in order to provide correct URL rewriting behavior required by the Servlet Specification when using Shiro-based sessions (and not Servlet Container HTTP-based sessions).

Parameters:: orig - the original HttpServletResponse instance provided by the Servlet Container.; request - the ShiroHttpServletRequest instance wrapping the original request.
Returns:: the wrapped ServletResponse instance to use during FilterChain execution.
Since:: 1.0

prepareServletResponse

protected ServletResponse prepareServletResponse(ServletRequest request,
                                                 ServletResponse response,
                                                 FilterChain chain)

Prepares the ServletResponse instance that will be passed to the FilterChain for request processing.

This implementation delegates to wrapServletRequest(javax.servlet.http.HttpServletRequest) only if Shiro-based sessions are enabled (that is, !isHttpSessions()) and the request instance is a ShiroHttpServletRequest. This ensures that any URL rewriting that occurs is handled correctly using the Shiro-managed Session's sessionId and not a servlet container session ID.

If HTTP-based sessions are enabled (the default), then this method does nothing and just returns the ServletResponse argument as-is, relying on the default Servlet Container URL rewriting logic.

Parameters:: request - the incoming ServletRequest; response - the outgoing ServletResponse; chain - the Servlet Container provided FilterChain that will receive the returned request.
Returns:: the ServletResponse instance that will be passed to the FilterChain during request processing.
Since:: 1.0

createSubject

protected WebSubject createSubject(ServletRequest request,
                                   ServletResponse response)

Creates a WebSubject instance to associate with the incoming request/response pair which will be used throughout the request/response execution.

Parameters:: request - the incoming ServletRequest; response - the outgoing ServletResponse
Returns:: the WebSubject instance to associate with the request/response execution
Since:: 1.0

updateSessionLastAccessTime

protected void updateSessionLastAccessTime(ServletRequest request,
                                           ServletResponse response)

Updates any 'native' Session's last access time that might exist to the timestamp when this method is called. If native sessions are not enabled (that is, standard Servlet container sessions are being used) or there is no session (subject.getSession(false) == null), this method does nothing.

This method implementation merely calls Session.touch() on the session.

Parameters:: request - incoming request - ignored, but available to subclasses that might wish to override this method; response - outgoing response - ignored, but available to subclasses that might wish to override this method
Since:: 1.0

doFilterInternal

protected void doFilterInternal(ServletRequest servletRequest,
                                ServletResponse servletResponse,
                                FilterChain chain)
                         throws ServletException,
                                IOException

doFilterInternal implementation that sets-up, executes, and cleans-up a Shiro-filtered request. It performs the following ordered operations:

Prepares the incoming ServletRequest for use during Shiro's processing
Prepares the outgoing ServletResponse for use during Shiro's processing
Creates a Subject instance based on the specified request/response pair.
Finally executes the updateSessionLastAccessTime(javax.servlet.ServletRequest, javax.servlet.ServletResponse) and executeChain(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain) methods

The Subject.execute(Runnable) call in step #4 is used as an implementation technique to guarantee proper thread binding and restoration is completed successfully.

Specified by:: doFilterInternal in class OncePerRequestFilter

Parameters:: servletRequest - the incoming ServletRequest; servletResponse - the outgoing ServletResponse; chain - the container-provided FilterChain to execute
Throws:: IOException - if an IO error occurs; ServletException - if an Throwable other than an IOException

getExecutionChain

protected FilterChain getExecutionChain(ServletRequest request,
                                        ServletResponse response,
                                        FilterChain origChain)

Returns the FilterChain to execute for the given request.

The origChain argument is the original FilterChain supplied by the Servlet Container, but it may be modified to provide more behavior by pre-pending further chains according to the Shiro configuration.

This implementation returns the chain that will actually be executed by acquiring the chain from a filterChainResolver. The resolver determines exactly which chain to execute, typically based on URL configuration. If no chain is returned from the resolver call (returns null), then the origChain will be returned by default.

Parameters:: request - the incoming ServletRequest; response - the outgoing ServletResponse; origChain - the original FilterChain provided by the Servlet Container
Returns:: the FilterChain to execute for the given request
Since:: 1.0

executeChain

protected void executeChain(ServletRequest request,
                            ServletResponse response,
                            FilterChain origChain)
                     throws IOException,
                            ServletException

Executes a FilterChain for the given request.

This implementation first delegates to getExecutionChain to allow the application's Shiro configuration to determine exactly how the chain should execute. The resulting value from that call is then executed directly by calling the returned FilterChain's doFilter method. That is:

 FilterChain chain = getExecutionChain(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)(request, response, origChain);
 chain.doFilter(request,response);

Parameters:: request - the incoming ServletRequest; response - the outgoing ServletResponse; origChain - the Servlet Container-provided chain that may be wrapped further by an application-configured chain of Filters.
Throws:: IOException - if the underlying chain.doFilter call results in an IOException; ServletException - if the underlying chain.doFilter call results in a ServletException
Since:: 1.0