Package org.apache.shiro.web.filter.authz

Class SslFilter

java.lang.Object
org.apache.shiro.web.servlet.ServletContextSupport
org.apache.shiro.web.servlet.AbstractFilter
org.apache.shiro.web.servlet.NameableFilter
org.apache.shiro.web.servlet.OncePerRequestFilter
org.apache.shiro.web.servlet.AdviceFilter
org.apache.shiro.web.filter.PathMatchingFilter
org.apache.shiro.web.filter.AccessControlFilter
org.apache.shiro.web.filter.authz.AuthorizationFilter
org.apache.shiro.web.filter.authz.PortFilter
org.apache.shiro.web.filter.authz.SslFilter
All Implemented Interfaces:
javax.servlet.Filter, org.apache.shiro.lang.util.Nameable, PathConfigProcessor
public class SslFilter extends PortFilter
Filter which requires a request to be over SSL. Access is allowed if the request is received on the configured server port and the request.isSecure(). If either condition is false, the filter chain will not continue.

The port property defaults to 443 and also additionally guarantees that the request scheme is always 'https' (except for port 80, which retains the 'http' scheme).

In addition, the filter allows enabling HTTP Strict Transport Security (HSTS). This feature is opt-in and disabled by default. If enabled HSTS will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.

The
invalid reference 
maxAge
property defaults 31536000, and
invalid reference 
includeSubDomains
is false.

Warning: Use this setting with care and only if you plan to enable SSL on every path.

Example configs: 
 [urls]
 /secure/path/** = ssl
with HSTS enabled 
 [main]
 ssl.hsts.enabled = true
 [urls]
 /** = ssl
Since:
1.0
See Also:

  • Field Details

  • Constructor Details

  • Method Details

    • getHsts

      public SslFilter.HSTS getHsts()

    • setHsts

      public void setHsts(SslFilter.HSTS hsts)

    • getScheme

      protected String getScheme(String requestScheme, int port)
      Overrides:
      getScheme in class PortFilter

    • isAccessAllowed

      protected boolean isAccessAllowed(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, Object mappedValue) throws Exception
      Retains the parent method's port-matching behavior but additionally guarantees that the ServletRequest.isSecure(). If the port does not match or the request is not secure, access is denied.
      Overrides:
      isAccessAllowed in class PortFilter
      Parameters:
      request - the incoming ServletRequest
      response - the outgoing ServletResponse - ignored in this implementation
      mappedValue - the filter-specific config value mapped to this filter in the URL rules mappings - ignored by this implementation.
      Returns:
      true if the request is received on an expected SSL port and the request.isSecure(), false otherwise.
      Throws:
      Exception - if the call to super.isAccessAllowed throws an exception.
      Since:
      1.2

    • postHandle

      protected void postHandle(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response)
      If HTTP Strict Transport Security (HSTS) is enabled the HTTP header will be written, otherwise this method does nothing.
      Overrides:
      postHandle in class AdviceFilter
      Parameters:
      request - the incoming ServletRequest
      response - the outgoing ServletResponse