Class HttpMethodPermissionFilter

java.lang.Object
org.apache.shiro.web.servlet.ServletContextSupport
org.apache.shiro.web.servlet.AbstractFilter
org.apache.shiro.web.servlet.NameableFilter
org.apache.shiro.web.servlet.OncePerRequestFilter
org.apache.shiro.web.servlet.AdviceFilter
org.apache.shiro.web.filter.PathMatchingFilter
org.apache.shiro.web.filter.AccessControlFilter
org.apache.shiro.web.filter.authz.AuthorizationFilter
org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter
org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter
All Implemented Interfaces:
javax.servlet.Filter, org.apache.shiro.lang.util.Nameable, PathConfigProcessor
public class HttpMethodPermissionFilter extends PermissionsAuthorizationFilter
A filter that translates an HTTP Request's Method (e.g. GET, POST, etc.) into an corresponding action (verb) and uses that verb to construct a permission that will be checked to determine access.

This Filter is primarily provided to support REST environments where the type (Method) of request translates to an action being performed on one or more resources. This paradigm works well with Shiro's concepts of using permissions for access control and can be leveraged to easily perform permission checks.

This filter functions as follows:

  1. The incoming HTTP request's Method (GET, POST, PUT, DELETE, etc.) is discovered.
  2. The Method is translated into a more 'application friendly' verb, such as 'create', edit', 'delete', etc.
  3. The verb is appended to any configured permissions for the currently matching path.
  4. If the current Subject isPermitted to perform the resolved action, the request is allowed to continue.

For example, if the following filter chain was defined, where 'rest' was the name given to a filter instance of this class: 

 /user/** = rest[user]
Then an HTTP GET request to /user/1234 would translate to the constructed permission user:read (GET is mapped to the 'read' action) and execute the permission check Subject.isPermitted("user:read") in order to allow the request to continue.

Similarly, an HTTP POST to /user would translate to the constructed permission user:create (POST is mapped to the 'create' action) and execute the permission check Subject.isPermitted("user:create") in order to allow the request to continue.

Method To Verb Mapping

The following table represents the default HTTP Method-to-action verb mapping:
HTTP MethodMapped ActionExample PermissionRuntime Check
headreadperm1perm1:read
getreadperm2perm2:read
putupdateperm3perm3:update
postcreateperm4perm4:create
mkcolcreateperm5perm5:create
optionsreadperm6perm6:read
tracereadperm7perm7:read
Since:
1.0

  • Constructor Details

  • Method Details

    • getHttpMethodActions

      protected Map<String,String> getHttpMethodActions()
      Returns the HTTP Method name (key) to action verb (value) mapping used to resolve actions based on an incoming HttpServletRequest. All keys and values are lower-case. The default key/value pairs are defined in the top class-level JavaDoc.
      Returns:
      the HTTP Method lower-case name (key) to lower-case action verb (value) mapping

    • getHttpMethodAction

      protected String getHttpMethodAction(javax.servlet.ServletRequest request)
      Determines the action (verb) attempting to be performed on the filtered resource by the current request.

      This implementation expects the incoming request to be an HttpServletRequest and returns a mapped action based on the HTTP request method.

      Parameters:
      request - to pull the method from.
      Returns:
      The string equivalent verb of the http method.

    • getHttpMethodAction

      protected String getHttpMethodAction(String method)
      Determines the corresponding application action that will be performed on the filtered resource based on the specified HTTP method (GET, POST, etc.).
      Parameters:
      method - to be translated into the verb.
      Returns:
      The string equivalent verb of the method.

    • buildPermissions

      protected String[] buildPermissions(javax.servlet.http.HttpServletRequest request, String[] configuredPerms, String action)
      Returns a collection of String permissions with which to perform a permission check to determine if the filter will allow the request to continue.

      This implementation merely delegates to buildPermissions(String[], String) and ignores the inbound HTTP servlet request, but it can be overridden by subclasses for more complex request-specific building logic if necessary.

      Parameters:
      request - the inbound HTTP request - ignored in this implementation, but available to subclasses for more complex construction building logic if necessary
      configuredPerms - any url-specific permissions mapped to this filter in the URL rules mappings.
      action - the application-friendly action (verb) resolved based on the HTTP Method name.
      Returns:
      a collection of String permissions with which to perform a permission check to determine if the filter will allow the request to continue.

    • buildPermissions

      protected String[] buildPermissions(String[] configuredPerms, String action)
      Builds a new array of permission strings based on the original argument, appending the specified action verb to each one per WildcardPermission conventions. The built permission strings will be the ones used at runtime during the permission check that determines if filter access should be allowed to continue or not.

      For example, if the configuredPerms argument contains the following 3 permission strings:

      1. permission:one
      2. permission:two
      3. permission:three
      And the action is read, then the return value will be:
      1. permission:one:read
      2. permission:two:read
      3. permission:three:read
      per WildcardPermission conventions. Subclasses are of course free to override this method or the buildPermissions request variant for custom building logic or with different permission formats.
      Parameters:
      configuredPerms - list of configuredPerms to be converted.
      action - the resolved action based on the request method to be appended to permission strings.
      Returns:
      an array of permission strings with each element appended with the action.

    • isAccessAllowed

      public boolean isAccessAllowed(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, Object mappedValue) throws IOException
      Resolves an 'application friendly' action verb based on the HttpServletRequest's method, appends that action to each configured permission (the mappedValue argument is a String[] array), and delegates the permission check for the newly constructed permission(s) to the superclass isAccessAllowed implementation to perform the actual permission check.
      Overrides:
      isAccessAllowed in class PermissionsAuthorizationFilter
      Parameters:
      request - the inbound ServletRequest
      response - the outbound ServletResponse
      mappedValue - the filter-specific config value mapped to this filter in the URL rules mappings.
      Returns:
      true if the request should proceed through the filter normally, false if the request should be processed by this filter's AccessControlFilter.onAccessDenied(ServletRequest, ServletResponse, Object) method instead.
      Throws:
      IOException