Class SslFilter
- java.lang.Object
-
- All Implemented Interfaces:
javax.servlet.Filter,org.apache.shiro.util.Nameable,PathConfigProcessor
public class SslFilter extends PortFilter
Filter which requires a request to be over SSL. Access is allowed if the request is received on the configured serverportand therequest.isSecure(). If either condition isfalse, the filter chain will not continue. Theportproperty defaults to443and also additionally guarantees that the request scheme is always 'https' (except for port 80, which retains the 'http' scheme). In addition the filter allows enabling HTTP Strict Transport Security (HSTS). This feature is opt-in and disabled by default. If enabled HSTS will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. ThemaxAgeproperty defaults31536000, andincludeSubDomainsisfalse. Warning: Use this setting with care and only if you plan to enable SSL on every path. Example configs:[urls] /secure/path/** = ssl
with HSTS enabled[main] ssl.hsts.enabled = true [urls] /** = ssl
- Since:
- 1.0
- See Also:
- HTTP Strict Transport Security (HSTS)
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description classSslFilter.HSTSHelper class for HTTP Strict Transport Security (HSTS)
-
Field Summary
Fields Modifier and Type Field Description static intDEFAULT_HTTPS_PORTstatic StringHTTPS_SCHEME-
Fields inherited from class org.apache.shiro.web.filter.authz.PortFilter
DEFAULT_HTTP_PORT, HTTP_SCHEME
-
Fields inherited from class org.apache.shiro.web.filter.AccessControlFilter
DEFAULT_LOGIN_URL, GET_METHOD, POST_METHOD
-
Fields inherited from class org.apache.shiro.web.filter.PathMatchingFilter
appliedPaths, pathMatcher
-
Fields inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
ALREADY_FILTERED_SUFFIX
-
Fields inherited from class org.apache.shiro.web.servlet.AbstractFilter
filterConfig
-
-
Constructor Summary
Constructors Constructor Description SslFilter()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description SslFilter.HSTSgetHsts()protected StringgetScheme(String requestScheme, int port)protected booleanisAccessAllowed(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, Object mappedValue)Retains the parent method's port-matching behavior but additionally guarantees that theServletRequest.isSecure().protected voidpostHandle(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response)If HTTP Strict Transport Security (HSTS) is enabled the HTTP header will be written, otherwise this method does nothing.voidsetHsts(SslFilter.HSTS hsts)-
Methods inherited from class org.apache.shiro.web.filter.authz.PortFilter
getPort, onAccessDenied, setPort, toPort
-
Methods inherited from class org.apache.shiro.web.filter.authz.AuthorizationFilter
getUnauthorizedUrl, onAccessDenied, setUnauthorizedUrl
-
Methods inherited from class org.apache.shiro.web.filter.AccessControlFilter
getLoginUrl, getSubject, isLoginRequest, onPreHandle, redirectToLogin, saveRequest, saveRequestAndRedirectToLogin, setLoginUrl
-
Methods inherited from class org.apache.shiro.web.filter.PathMatchingFilter
getPathWithinApplication, isEnabled, pathsMatch, pathsMatch, preHandle, processPathConfig
-
Methods inherited from class org.apache.shiro.web.servlet.AdviceFilter
afterCompletion, cleanup, doFilterInternal, executeChain
-
Methods inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
doFilter, getAlreadyFilteredAttributeName, isEnabled, isEnabled, isFilterOncePerRequest, setEnabled, setFilterOncePerRequest, shouldNotFilter
-
Methods inherited from class org.apache.shiro.web.servlet.NameableFilter
getName, setName, toStringBuilder
-
Methods inherited from class org.apache.shiro.web.servlet.AbstractFilter
destroy, getFilterConfig, getInitParam, init, onFilterConfigSet, setFilterConfig
-
Methods inherited from class org.apache.shiro.web.servlet.ServletContextSupport
getContextAttribute, getContextInitParam, getServletContext, removeContextAttribute, setContextAttribute, setServletContext, toString
-
-
-
-
Field Detail
-
DEFAULT_HTTPS_PORT
public static final int DEFAULT_HTTPS_PORT
- See Also:
- Constant Field Values
-
HTTPS_SCHEME
public static final String HTTPS_SCHEME
- See Also:
- Constant Field Values
-
-
Method Detail
-
getHsts
public SslFilter.HSTS getHsts()
-
setHsts
public void setHsts(SslFilter.HSTS hsts)
-
getScheme
protected String getScheme(String requestScheme, int port)
- Overrides:
getSchemein classPortFilter
-
isAccessAllowed
protected boolean isAccessAllowed(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, Object mappedValue) throws ExceptionRetains the parent method's port-matching behavior but additionally guarantees that theServletRequest.isSecure(). If the port does not match or the request is not secure, access is denied.- Overrides:
isAccessAllowedin classPortFilter- Parameters:
request- the incomingServletRequestresponse- the outgoingServletResponse- ignored in this implementationmappedValue- the filter-specific config value mapped to this filter in the URL rules mappings - ignored by this implementation.- Returns:
trueif the request is received on an expected SSL port and therequest.isSecure(),falseotherwise.- Throws:
Exception- if the call tosuper.isAccessAllowedthrows an exception.- Since:
- 1.2
-
postHandle
protected void postHandle(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response)If HTTP Strict Transport Security (HSTS) is enabled the HTTP header will be written, otherwise this method does nothing.- Overrides:
postHandlein classAdviceFilter- Parameters:
request- the incomingServletRequestresponse- the outgoingServletResponse
-
-