Package org.apache.shiro.web.filter.authz

Class AuthorizationFilter

java.lang.Object
org.apache.shiro.web.servlet.ServletContextSupport
org.apache.shiro.web.servlet.AbstractFilter
org.apache.shiro.web.servlet.NameableFilter
org.apache.shiro.web.servlet.OncePerRequestFilter
org.apache.shiro.web.servlet.AdviceFilter
org.apache.shiro.web.filter.PathMatchingFilter
org.apache.shiro.web.filter.AccessControlFilter
org.apache.shiro.web.filter.authz.AuthorizationFilter
All Implemented Interfaces:
javax.servlet.Filter, org.apache.shiro.lang.util.Nameable, PathConfigProcessor
Direct Known Subclasses:
HostFilter, IpFilter, PermissionsAuthorizationFilter, PortFilter, RolesAuthorizationFilter
public abstract class AuthorizationFilter extends AccessControlFilter
Superclass for authorization-related filters. If an request is unauthorized, response handling is delegated to the onAccessDenied method, which provides reasonable handling for most applications.
Since:
0.9
See Also:

  • Constructor Details

  • Method Details

    • getUnauthorizedUrl

      public String getUnauthorizedUrl()
      Returns the URL to which users should be redirected if they are denied access to an underlying path or resource, or null if a raw HttpServletResponse.SC_FORBIDDEN response should be issued (403 Forbidden).

      The default is null, ensuring default web server behavior. Override this default by calling the setUnauthorizedUrl method with a meaningful path within your application if you would like to show the user a 'nice' page in the event of unauthorized access.

      Returns:
      the URL to which users should be redirected if they are denied access to an underlying path or resource, or null if a raw HttpServletResponse.SC_FORBIDDEN response should be issued (403 Forbidden).

    • setUnauthorizedUrl

      public void setUnauthorizedUrl(String unauthorizedUrl)
      Sets the URL to which users should be redirected if they are denied access to an underlying path or resource.

      If the value is null a raw HttpServletResponse.SC_FORBIDDEN response will be issued (403 Forbidden), retaining default web server behavior.

      Unless overridden by calling this method, the default value is null. If desired, you can specify a meaningful path within your application if you would like to show the user a 'nice' page in the event of unauthorized access.

      Parameters:
      unauthorizedUrl - the URL to which users should be redirected if they are denied access to an underlying path or resource, or null to an ensure raw HttpServletResponse.SC_FORBIDDEN response is issued (403 Forbidden).

    • onAccessDenied

      protected boolean onAccessDenied(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response) throws IOException
      Handles the response when access has been denied. It behaves as follows: [1]: A Subject is 'known' when subject.getPrincipal() is not null, which implicitly means that the subject is either currently authenticated or they have been remembered via 'remember me' services.
      Specified by:
      onAccessDenied in class AccessControlFilter
      Parameters:
      request - the incoming ServletRequest
      response - the outgoing ServletResponse
      Returns:
      false always for this implementation.
      Throws:
      IOException - if there is any servlet error.