java.lang.Object
- org.apache.shiro.web.servlet.ServletContextSupport
- - org.apache.shiro.web.servlet.AbstractFilter
  - - org.apache.shiro.web.servlet.NameableFilter
    - - org.apache.shiro.web.servlet.OncePerRequestFilter
      - org.apache.shiro.web.servlet.AdviceFilter
        
        org.apache.shiro.web.filter.PathMatchingFilter
        
        org.apache.shiro.web.filter.AccessControlFilter
        
        org.apache.shiro.web.filter.authz.AuthorizationFilter

All Implemented Interfaces:

javax.servlet.Filter, org.apache.shiro.util.Nameable, PathConfigProcessor

Direct Known Subclasses:

HostFilter, PermissionsAuthorizationFilter, PortFilter, RolesAuthorizationFilter
```
public abstract class AuthorizationFilter
extends AccessControlFilter
```
Superclass for authorization-related filters. If an request is unauthorized, response handling is delegated to the onAccessDenied method, which provides reasonable handling for most applications.

Since:

0.9

See Also:

onAccessDenied(javax.servlet.ServletRequest, javax.servlet.ServletResponse)

Field Summary
- Fields inherited from class org.apache.shiro.web.filter.AccessControlFilter
  DEFAULT_LOGIN_URL, GET_METHOD, POST_METHOD
- Fields inherited from class org.apache.shiro.web.filter.PathMatchingFilter
  appliedPaths, pathMatcher
- Fields inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
  ALREADY_FILTERED_SUFFIX
- Fields inherited from class org.apache.shiro.web.servlet.AbstractFilter
  filterConfig

Constructor Summary

Constructors
Constructor Description

AuthorizationFilter()

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method	Description
`String`	`getUnauthorizedUrl()`	Returns the URL to which users should be redirected if they are denied access to an underlying path or resource, or `null` if a raw `HttpServletResponse.SC_UNAUTHORIZED` response should be issued (401 Unauthorized).
`protected boolean`	`onAccessDenied(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response)`	Handles the response when access has been denied.
`void`	`setUnauthorizedUrl(String unauthorizedUrl)`	Sets the URL to which users should be redirected if they are denied access to an underlying path or resource.

Methods inherited from class org.apache.shiro.web.filter.AccessControlFilter
getLoginUrl, getSubject, isAccessAllowed, isLoginRequest, onAccessDenied, onPreHandle, redirectToLogin, saveRequest, saveRequestAndRedirectToLogin, setLoginUrl

Methods inherited from class org.apache.shiro.web.filter.PathMatchingFilter
getPathWithinApplication, isEnabled, pathsMatch, pathsMatch, preHandle, processPathConfig

Methods inherited from class org.apache.shiro.web.servlet.AdviceFilter
afterCompletion, cleanup, doFilterInternal, executeChain, postHandle

Methods inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
doFilter, getAlreadyFilteredAttributeName, isEnabled, isEnabled, setEnabled, shouldNotFilter

Methods inherited from class org.apache.shiro.web.servlet.NameableFilter
getName, setName, toStringBuilder

Methods inherited from class org.apache.shiro.web.servlet.AbstractFilter
destroy, getFilterConfig, getInitParam, init, onFilterConfigSet, setFilterConfig

Methods inherited from class org.apache.shiro.web.servlet.ServletContextSupport
getContextAttribute, getContextInitParam, getServletContext, removeContextAttribute, setContextAttribute, setServletContext, toString

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

- Constructor Detail
  - AuthorizationFilter
```
public AuthorizationFilter()
```
- Method Detail
  - getUnauthorizedUrl
```
public String getUnauthorizedUrl()
```
    Returns the URL to which users should be redirected if they are denied access to an underlying path or resource, or null if a raw HttpServletResponse.SC_UNAUTHORIZED response should be issued (401 Unauthorized).
    The default is null, ensuring default web server behavior. Override this default by calling the setUnauthorizedUrl method with a meaningful path within your application if you would like to show the user a 'nice' page in the event of unauthorized access.
    
    Returns:
    
    the URL to which users should be redirected if they are denied access to an underlying path or resource, or null if a raw HttpServletResponse.SC_UNAUTHORIZED response should be issued (401 Unauthorized).
  - setUnauthorizedUrl
```
public void setUnauthorizedUrl(String unauthorizedUrl)
```
    Sets the URL to which users should be redirected if they are denied access to an underlying path or resource.
    If the value is null a raw HttpServletResponse.SC_UNAUTHORIZED response will be issued (401 Unauthorized), retaining default web server behavior.
    Unless overridden by calling this method, the default value is null. If desired, you can specify a meaningful path within your application if you would like to show the user a 'nice' page in the event of unauthorized access.
    
    Parameters:
    
    unauthorizedUrl - the URL to which users should be redirected if they are denied access to an underlying path or resource, or null to a ensure raw HttpServletResponse.SC_UNAUTHORIZED response is issued (401 Unauthorized).
  - onAccessDenied
```
protected boolean onAccessDenied(javax.servlet.ServletRequest request,
                                 javax.servlet.ServletResponse response)
                          throws IOException
```
    Handles the response when access has been denied. It behaves as follows:
    
    If the Subject is unknown^[1]:
    The incoming request will be saved and they will be redirected to the login page for authentication (via the AccessControlFilter.saveRequestAndRedirectToLogin(javax.servlet.ServletRequest, javax.servlet.ServletResponse) method).
    
    Once successfully authenticated, they will be redirected back to the originally attempted page.
    
    If the Subject is known:
    
    The HTTP HttpServletResponse.SC_UNAUTHORIZED header will be set (401 Unauthorized)
    
    If the unauthorizedUrl has been configured, a redirect will be issued to that URL. Otherwise the 401 response is rendered normally
    
    [1]: A Subject is 'known' when subject.getPrincipal() is not null, which implicitly means that the subject is either currently authenticated or they have been remembered via 'remember me' services.
    Specified by:
    
    onAccessDenied in class AccessControlFilter
    
    Parameters:
    
    request - the incoming ServletRequest
    
    response - the outgoing ServletResponse
    
    Returns:
    
    false always for this implementation.
    
    Throws:
    
    IOException - if there is any servlet error.

Class AuthorizationFilter

Field Summary

Fields inherited from class org.apache.shiro.web.filter.AccessControlFilter

Fields inherited from class org.apache.shiro.web.filter.PathMatchingFilter

Fields inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter

Fields inherited from class org.apache.shiro.web.servlet.AbstractFilter

Constructor Summary

Method Summary

Methods inherited from class org.apache.shiro.web.filter.AccessControlFilter

Methods inherited from class org.apache.shiro.web.filter.PathMatchingFilter

Methods inherited from class org.apache.shiro.web.servlet.AdviceFilter

Methods inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter

Methods inherited from class org.apache.shiro.web.servlet.NameableFilter

Methods inherited from class org.apache.shiro.web.servlet.AbstractFilter

Methods inherited from class org.apache.shiro.web.servlet.ServletContextSupport

Methods inherited from class java.lang.Object

Constructor Detail

AuthorizationFilter

Method Detail

getUnauthorizedUrl

setUnauthorizedUrl

onAccessDenied