Package org.apache.shiro.web.servlet

Class AbstractShiroFilter

  • All Implemented Interfaces:
    javax.servlet.Filter, org.apache.shiro.util.Nameable
    Direct Known Subclasses:
    IniShiroFilter, ShiroFilter
    public abstract class AbstractShiroFilter
extends OncePerRequestFilter
    Abstract base class that provides all standard Shiro request filtering behavior and expects subclasses to implement configuration-specific logic (INI, XML, .properties, etc).

    Subclasses should perform configuration and construction logic in an overridden init() method implementation. That implementation should make available any constructed SecurityManager and FilterChainResolver by calling setSecurityManager(org.apache.shiro.web.mgt.WebSecurityManager) and setFilterChainResolver(org.apache.shiro.web.filter.mgt.FilterChainResolver) methods respectively.

    Static SecurityManager

    By default the SecurityManager instance enabled by this filter will not be enabled in static memory via the SecurityUtils.setSecurityManager method. Instead, it is expected that Subject instances will always be constructed on a request-processing thread via instances of this Filter class.

    However, if you need to construct Subject instances on separate (non request-processing) threads, it might be easiest to enable the SecurityManager to be available in static memory via the SecurityUtils.getSecurityManager() method. You can do this by additionally specifying an init-param: 

     <filter>
     ... other config here ...
     <init-param>
         <param-name>staticSecurityManagerEnabled</param-name>
         <param-value>true</param-value>
     </init-param>
 </filter>
    See the Shiro Subject documentation for more information as to if you would do this, particularly the sections on the Subject.Builder and Thread Association.
    Since:
    1.0
    See Also:
    Subject documentation

    • Constructor Detail

      • AbstractShiroFilter

        protected AbstractShiroFilter()

    • Method Detail

      • setFilterChainResolver

        public void setFilterChainResolver​(FilterChainResolver filterChainResolver)

      • isStaticSecurityManagerEnabled

        public boolean isStaticSecurityManagerEnabled()
        Returns true if the constructed securityManager reference should be bound to static memory (via SecurityUtils.setSecurityManager), false otherwise.

        The default value is false.

        Returns:
        true if the constructed securityManager reference should be bound to static memory (via SecurityUtils.setSecurityManager), false otherwise.
        Since:
        1.2
        See Also:
        SHIRO-287

      • setStaticSecurityManagerEnabled

        public void setStaticSecurityManagerEnabled​(boolean staticSecurityManagerEnabled)
        Sets if the constructed securityManager reference should be bound to static memory (via SecurityUtils.setSecurityManager).

        The default value is false.

        Parameters:
        staticSecurityManagerEnabled - if the constructed securityManager reference should be bound to static memory (via SecurityUtils.setSecurityManager).
        Since:
        1.2
        See Also:
        SHIRO-287

      • createDefaultSecurityManager

        protected WebSecurityManager createDefaultSecurityManager()

      • isHttpSessions

        protected boolean isHttpSessions()

      • wrapServletRequest

        protected javax.servlet.ServletRequest wrapServletRequest​(javax.servlet.http.HttpServletRequest orig)
        Wraps the original HttpServletRequest in a ShiroHttpServletRequest, which is required for supporting Servlet Specification behavior backed by a Subject instance.
        Parameters:
        orig - the original Servlet Container-provided incoming HttpServletRequest instance.
        Returns:
        ShiroHttpServletRequest instance wrapping the original.
        Since:
        1.0

      • prepareServletRequest

        protected javax.servlet.ServletRequest prepareServletRequest​(javax.servlet.ServletRequest request,
                                                             javax.servlet.ServletResponse response,
                                                             javax.servlet.FilterChain chain)
        Prepares the ServletRequest instance that will be passed to the FilterChain for request processing.

        If the ServletRequest is an instance of HttpServletRequest, the value returned from this method is obtained by calling wrapServletRequest(javax.servlet.http.HttpServletRequest) to allow Shiro-specific HTTP behavior, otherwise the original ServletRequest argument is returned.

        Parameters:
        request - the incoming ServletRequest
        response - the outgoing ServletResponse
        chain - the Servlet Container provided FilterChain that will receive the returned request.
        Returns:
        the ServletRequest instance that will be passed to the FilterChain for request processing.
        Since:
        1.0

      • wrapServletResponse

        protected javax.servlet.ServletResponse wrapServletResponse​(javax.servlet.http.HttpServletResponse orig,
                                                            ShiroHttpServletRequest request)
        Returns a new ShiroHttpServletResponse instance, wrapping the orig argument, in order to provide correct URL rewriting behavior required by the Servlet Specification when using Shiro-based sessions (and not Servlet Container HTTP-based sessions).
        Parameters:
        orig - the original HttpServletResponse instance provided by the Servlet Container.
        request - the ShiroHttpServletRequest instance wrapping the original request.
        Returns:
        the wrapped ServletResponse instance to use during FilterChain execution.
        Since:
        1.0

      • prepareServletResponse

        protected javax.servlet.ServletResponse prepareServletResponse​(javax.servlet.ServletRequest request,
                                                               javax.servlet.ServletResponse response,
                                                               javax.servlet.FilterChain chain)
        Prepares the ServletResponse instance that will be passed to the FilterChain for request processing.

        This implementation delegates to wrapServletRequest(javax.servlet.http.HttpServletRequest) only if Shiro-based sessions are enabled (that is, !isHttpSessions()) and the request instance is a ShiroHttpServletRequest. This ensures that any URL rewriting that occurs is handled correctly using the Shiro-managed Session's sessionId and not a servlet container session ID.

        If HTTP-based sessions are enabled (the default), then this method does nothing and just returns the ServletResponse argument as-is, relying on the default Servlet Container URL rewriting logic.

        Parameters:
        request - the incoming ServletRequest
        response - the outgoing ServletResponse
        chain - the Servlet Container provided FilterChain that will receive the returned request.
        Returns:
        the ServletResponse instance that will be passed to the FilterChain during request processing.
        Since:
        1.0

      • createSubject

        protected WebSubject createSubject​(javax.servlet.ServletRequest request,
                                   javax.servlet.ServletResponse response)
        Creates a WebSubject instance to associate with the incoming request/response pair which will be used throughout the request/response execution.
        Parameters:
        request - the incoming ServletRequest
        response - the outgoing ServletResponse
        Returns:
        the WebSubject instance to associate with the request/response execution
        Since:
        1.0

      • updateSessionLastAccessTime

        protected void updateSessionLastAccessTime​(javax.servlet.ServletRequest request,
                                           javax.servlet.ServletResponse response)
        Updates any 'native' Session's last access time that might exist to the timestamp when this method is called. If native sessions are not enabled (that is, standard Servlet container sessions are being used) or there is no session (subject.getSession(false) == null), this method does nothing.

        This method implementation merely calls Session.touch() on the session.

        Parameters:
        request - incoming request - ignored, but available to subclasses that might wish to override this method
        response - outgoing response - ignored, but available to subclasses that might wish to override this method
        Since:
        1.0

      • getExecutionChain

        protected javax.servlet.FilterChain getExecutionChain​(javax.servlet.ServletRequest request,
                                                      javax.servlet.ServletResponse response,
                                                      javax.servlet.FilterChain origChain)
        Returns the FilterChain to execute for the given request.

        The origChain argument is the original FilterChain supplied by the Servlet Container, but it may be modified to provide more behavior by pre-pending further chains according to the Shiro configuration.

        This implementation returns the chain that will actually be executed by acquiring the chain from a filterChainResolver. The resolver determines exactly which chain to execute, typically based on URL configuration. If no chain is returned from the resolver call (returns null), then the origChain will be returned by default.

        Parameters:
        request - the incoming ServletRequest
        response - the outgoing ServletResponse
        origChain - the original FilterChain provided by the Servlet Container
        Returns:
        the FilterChain to execute for the given request
        Since:
        1.0

      • executeChain

        protected void executeChain​(javax.servlet.ServletRequest request,
                            javax.servlet.ServletResponse response,
                            javax.servlet.FilterChain origChain)
                     throws IOException,
                            javax.servlet.ServletException
        Executes a FilterChain for the given request.

        This implementation first delegates to getExecutionChain to allow the application's Shiro configuration to determine exactly how the chain should execute. The resulting value from that call is then executed directly by calling the returned FilterChain's doFilter method. That is: 

         FilterChain chain = getExecutionChain(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)(request, response, origChain);
 chain.doFilter(request,response);
        Parameters:
        request - the incoming ServletRequest
        response - the outgoing ServletResponse
        origChain - the Servlet Container-provided chain that may be wrapped further by an application-configured chain of Filters.
        Throws:
        IOException - if the underlying chain.doFilter call results in an IOException
        javax.servlet.ServletException - if the underlying chain.doFilter call results in a ServletException
        Since:
        1.0