org.apache.shiro.web.servlet

Class AbstractShiroFilter

java.lang.Object

org.apache.shiro.web.servlet.ServletContextSupport

org.apache.shiro.web.servlet.AbstractFilter

org.apache.shiro.web.servlet.NameableFilter

org.apache.shiro.web.servlet.OncePerRequestFilter

org.apache.shiro.web.servlet.AbstractShiroFilter

All Implemented Interfaces:

javax.servlet.Filter, org.apache.shiro.util.Nameable

Direct Known Subclasses:

IniShiroFilter, ShiroFilter

public abstract class AbstractShiroFilter
extends OncePerRequestFilter

Abstract base class that provides all standard Shiro request filtering behavior and expects subclasses to implement configuration-specific logic (INI, XML, .properties, etc).

Subclasses should perform configuration and construction logic in an overridden init() method implementation. That implementation should make available any constructed SecurityManager and FilterChainResolver by calling setSecurityManager(org.apache.shiro.web.mgt.WebSecurityManager) and setFilterChainResolver(org.apache.shiro.web.filter.mgt.FilterChainResolver) methods respectively.

Static SecurityManager

By default the SecurityManager instance enabled by this filter will not be enabled in static memory via the SecurityUtils.setSecurityManager method. Instead, it is expected that Subject instances will always be constructed on a request-processing thread via instances of this Filter class.

However, if you need to construct Subject instances on separate (non request-processing) threads, it might be easiest to enable the SecurityManager to be available in static memory via the SecurityUtils.getSecurityManager() method. You can do this by additionally specifying an init-param:

 <filter>
     ... other config here ...
     <init-param>
         <param-name>staticSecurityManagerEnabled</param-name>
         <param-value>true</param-value>
     </init-param>
 </filter>
 

See the Shiro Subject documentation for more information as to if you would do this, particularly the sections on the Subject.Builder and Thread Association.

Since:

1.0

See Also:

Subject documentation

Field Summary

Fields inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter

ALREADY_FILTERED_SUFFIX

Fields inherited from class org.apache.shiro.web.servlet.AbstractFilter

filterConfig

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	AbstractShiroFilter()

Method Summary

Modifier and Type	Method and Description
protected WebSecurityManager	createDefaultSecurityManager()
protected WebSubject	createSubject(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response) Creates a WebSubject instance to associate with the incoming request/response pair which will be used throughout the request/response execution.
protected void	doFilterInternal(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain chain) doFilterInternal implementation that sets-up, executes, and cleans-up a Shiro-filtered request.
protected void	executeChain(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain origChain) Executes a FilterChain for the given request.
protected javax.servlet.FilterChain	getExecutionChain(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain origChain) Returns the FilterChain to execute for the given request.
FilterChainResolver	getFilterChainResolver()
WebSecurityManager	getSecurityManager()
void	init()
protected boolean	isHttpSessions()
boolean	isStaticSecurityManagerEnabled() Returns true if the constructed securityManager reference should be bound to static memory (via SecurityUtils.
protected void	onFilterConfigSet() Template method to be overridden by subclasses to perform initialization logic at start-up.
protected javax.servlet.ServletRequest	prepareServletRequest(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain) Prepares the ServletRequest instance that will be passed to the FilterChain for request processing.
protected javax.servlet.ServletResponse	prepareServletResponse(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain) Prepares the ServletResponse instance that will be passed to the FilterChain for request processing.
void	setFilterChainResolver(FilterChainResolver filterChainResolver)
void	setSecurityManager(WebSecurityManager sm)
void	setStaticSecurityManagerEnabled(boolean staticSecurityManagerEnabled) Sets if the constructed securityManager reference should be bound to static memory (via SecurityUtils.
protected void	updateSessionLastAccessTime(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response) Updates any 'native' Session's last access time that might exist to the timestamp when this method is called.
protected javax.servlet.ServletRequest	wrapServletRequest(javax.servlet.http.HttpServletRequest orig) Wraps the original HttpServletRequest in a ShiroHttpServletRequest, which is required for supporting Servlet Specification behavior backed by a Subject instance.
protected javax.servlet.ServletResponse	wrapServletResponse(javax.servlet.http.HttpServletResponse orig, ShiroHttpServletRequest request) Returns a new ShiroHttpServletResponse instance, wrapping the orig argument, in order to provide correct URL rewriting behavior required by the Servlet Specification when using Shiro-based sessions (and not Servlet Container HTTP-based sessions).

Methods inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter

doFilter, getAlreadyFilteredAttributeName, isEnabled, isEnabled, setEnabled, shouldNotFilter

Methods inherited from class org.apache.shiro.web.servlet.NameableFilter

getName, setName, toStringBuilder

Methods inherited from class org.apache.shiro.web.servlet.AbstractFilter

destroy, getFilterConfig, getInitParam, init, setFilterConfig

Methods inherited from class org.apache.shiro.web.servlet.ServletContextSupport

getContextAttribute, getContextInitParam, getServletContext, removeContextAttribute, setContextAttribute, setServletContext, toString

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail

AbstractShiroFilter

protected AbstractShiroFilter()

Method Detail

getSecurityManager

public WebSecurityManager getSecurityManager()

setSecurityManager

public void setSecurityManager(WebSecurityManager sm)

getFilterChainResolver

public FilterChainResolver getFilterChainResolver()

setFilterChainResolver

public void setFilterChainResolver(FilterChainResolver filterChainResolver)

isStaticSecurityManagerEnabled

public boolean isStaticSecurityManagerEnabled()

Returns true if the constructed securityManager reference should be bound to static memory (via SecurityUtils.setSecurityManager), false otherwise.

The default value is false.

Returns:

true if the constructed securityManager reference should be bound to static memory (via SecurityUtils.setSecurityManager), false otherwise.

Since:

1.2

See Also:

SHIRO-287

setStaticSecurityManagerEnabled

public void setStaticSecurityManagerEnabled(boolean staticSecurityManagerEnabled)

Sets if the constructed securityManager reference should be bound to static memory (via SecurityUtils.setSecurityManager).

The default value is false.

Parameters:

staticSecurityManagerEnabled - if the constructed securityManager reference should be bound to static memory (via SecurityUtils.setSecurityManager).

Since:

1.2

See Also:

SHIRO-287

onFilterConfigSet

protected final void onFilterConfigSet()
                                throws Exception

Description copied from class: AbstractFilter

Template method to be overridden by subclasses to perform initialization logic at start-up. The ServletContext and FilterConfig will be accessible (and non-null) at the time this method is invoked via the getServletContext() and getFilterConfig() methods respectively.

init-param values may be conveniently obtained via the AbstractFilter.getInitParam(String) method.

Overrides:

onFilterConfigSet in class AbstractFilter

Throws:

Exception - if the subclass has an error upon initialization.

init

public void init()
          throws Exception

Throws:

Exception

createDefaultSecurityManager

protected WebSecurityManager createDefaultSecurityManager()

isHttpSessions

protected boolean isHttpSessions()

wrapServletRequest

protected javax.servlet.ServletRequest wrapServletRequest(javax.servlet.http.HttpServletRequest orig)

Wraps the original HttpServletRequest in a ShiroHttpServletRequest, which is required for supporting Servlet Specification behavior backed by a Subject instance.

Parameters:

orig - the original Servlet Container-provided incoming HttpServletRequest instance.

Returns:

ShiroHttpServletRequest instance wrapping the original.

Since:

1.0

prepareServletRequest

protected javax.servlet.ServletRequest prepareServletRequest(javax.servlet.ServletRequest request,
                                                             javax.servlet.ServletResponse response,
                                                             javax.servlet.FilterChain chain)

Prepares the ServletRequest instance that will be passed to the FilterChain for request processing.

If the ServletRequest is an instance of HttpServletRequest, the value returned from this method is obtained by calling wrapServletRequest(javax.servlet.http.HttpServletRequest) to allow Shiro-specific HTTP behavior, otherwise the original ServletRequest argument is returned.

Parameters:

request - the incoming ServletRequest

response - the outgoing ServletResponse

chain - the Servlet Container provided FilterChain that will receive the returned request.

Returns:

the ServletRequest instance that will be passed to the FilterChain for request processing.

Since:

1.0

wrapServletResponse

protected javax.servlet.ServletResponse wrapServletResponse(javax.servlet.http.HttpServletResponse orig,
                                                            ShiroHttpServletRequest request)

Returns a new ShiroHttpServletResponse instance, wrapping the orig argument, in order to provide correct URL rewriting behavior required by the Servlet Specification when using Shiro-based sessions (and not Servlet Container HTTP-based sessions).

Parameters:

orig - the original HttpServletResponse instance provided by the Servlet Container.

request - the ShiroHttpServletRequest instance wrapping the original request.

Returns:

the wrapped ServletResponse instance to use during FilterChain execution.

Since:

1.0

prepareServletResponse

protected javax.servlet.ServletResponse prepareServletResponse(javax.servlet.ServletRequest request,
                                                               javax.servlet.ServletResponse response,
                                                               javax.servlet.FilterChain chain)

Prepares the ServletResponse instance that will be passed to the FilterChain for request processing.

This implementation delegates to wrapServletRequest(javax.servlet.http.HttpServletRequest) only if Shiro-based sessions are enabled (that is, !isHttpSessions()) and the request instance is a ShiroHttpServletRequest. This ensures that any URL rewriting that occurs is handled correctly using the Shiro-managed Session's sessionId and not a servlet container session ID.

If HTTP-based sessions are enabled (the default), then this method does nothing and just returns the ServletResponse argument as-is, relying on the default Servlet Container URL rewriting logic.

Parameters:

request - the incoming ServletRequest

response - the outgoing ServletResponse

chain - the Servlet Container provided FilterChain that will receive the returned request.

Returns:

the ServletResponse instance that will be passed to the FilterChain during request processing.

Since:

1.0

createSubject

protected WebSubject createSubject(javax.servlet.ServletRequest request,
                                   javax.servlet.ServletResponse response)

Creates a WebSubject instance to associate with the incoming request/response pair which will be used throughout the request/response execution.

Parameters:

request - the incoming ServletRequest

response - the outgoing ServletResponse

Returns:

the WebSubject instance to associate with the request/response execution

Since:

1.0

updateSessionLastAccessTime

protected void updateSessionLastAccessTime(javax.servlet.ServletRequest request,
                                           javax.servlet.ServletResponse response)

Updates any 'native' Session's last access time that might exist to the timestamp when this method is called. If native sessions are not enabled (that is, standard Servlet container sessions are being used) or there is no session (subject.getSession(false) == null), this method does nothing.

This method implementation merely calls Session.touch() on the session.

Parameters:

request - incoming request - ignored, but available to subclasses that might wish to override this method

response - outgoing response - ignored, but available to subclasses that might wish to override this method

Since:

1.0

doFilterInternal

protected void doFilterInternal(javax.servlet.ServletRequest servletRequest,
                                javax.servlet.ServletResponse servletResponse,
                                javax.servlet.FilterChain chain)
                         throws javax.servlet.ServletException,
                                IOException

doFilterInternal implementation that sets-up, executes, and cleans-up a Shiro-filtered request. It performs the following ordered operations:

1. Prepares the incoming ServletRequest for use during Shiro's processing
2. Prepares the outgoing ServletResponse for use during Shiro's processing
3. Creates a Subject instance based on the specified request/response pair.
4. Finally executes the updateSessionLastAccessTime(javax.servlet.ServletRequest, javax.servlet.ServletResponse) and executeChain(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain) methods

The Subject.execute(Runnable) call in step #4 is used as an implementation technique to guarantee proper thread binding and restoration is completed successfully.

Specified by:

doFilterInternal in class OncePerRequestFilter

Parameters:

servletRequest - the incoming ServletRequest

servletResponse - the outgoing ServletResponse

chain - the container-provided FilterChain to execute

Throws:

IOException - if an IO error occurs

javax.servlet.ServletException - if an Throwable other than an IOException

getExecutionChain

protected javax.servlet.FilterChain getExecutionChain(javax.servlet.ServletRequest request,
                                                      javax.servlet.ServletResponse response,
                                                      javax.servlet.FilterChain origChain)

Returns the FilterChain to execute for the given request.

The origChain argument is the original FilterChain supplied by the Servlet Container, but it may be modified to provide more behavior by pre-pending further chains according to the Shiro configuration.

This implementation returns the chain that will actually be executed by acquiring the chain from a filterChainResolver. The resolver determines exactly which chain to execute, typically based on URL configuration. If no chain is returned from the resolver call (returns null), then the origChain will be returned by default.

Parameters:

request - the incoming ServletRequest

response - the outgoing ServletResponse

origChain - the original FilterChain provided by the Servlet Container

Returns:

the FilterChain to execute for the given request

Since:

1.0

executeChain

protected void executeChain(javax.servlet.ServletRequest request,
                            javax.servlet.ServletResponse response,
                            javax.servlet.FilterChain origChain)
                     throws IOException,
                            javax.servlet.ServletException

Executes a FilterChain for the given request.

This implementation first delegates to getExecutionChain to allow the application's Shiro configuration to determine exactly how the chain should execute. The resulting value from that call is then executed directly by calling the returned FilterChain's doFilter method. That is:

 FilterChain chain = getExecutionChain(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)(request, response, origChain);
 chain.doFilter(request,response);

Parameters:

request - the incoming ServletRequest

response - the outgoing ServletResponse

origChain - the Servlet Container-provided chain that may be wrapped further by an application-configured chain of Filters.

Throws:

IOException - if the underlying chain.doFilter call results in an IOException

javax.servlet.ServletException - if the underlying chain.doFilter call results in a ServletException

Since:

1.0