Class AbstractShiroFilter

java.lang.Object
org.apache.shiro.web.servlet.ServletContextSupport
org.apache.shiro.web.servlet.AbstractFilter
org.apache.shiro.web.servlet.NameableFilter
org.apache.shiro.web.servlet.OncePerRequestFilter
org.apache.shiro.web.servlet.AbstractShiroFilter
All Implemented Interfaces:
javax.servlet.Filter, org.apache.shiro.lang.util.Nameable
Direct Known Subclasses:
IniShiroFilter, ShiroFilter
public abstract class AbstractShiroFilter extends OncePerRequestFilter
Abstract base class that provides all standard Shiro request filtering behavior and expects subclasses to implement configuration-specific logic (INI, XML, .properties, etc.).

Subclasses should perform configuration and construction logic in an overridden init() method implementation. That implementation should make available any constructed SecurityManager and FilterChainResolver by calling setSecurityManager(org.apache.shiro.web.mgt.WebSecurityManager) and setFilterChainResolver(org.apache.shiro.web.filter.mgt.FilterChainResolver) methods respectively.

Static SecurityManager

By default, the SecurityManager instance enabled by this filter will not be enabled in static memory via the SecurityUtils. setSecurityManager method. Instead, it is expected that Subject instances will always be constructed on a request-processing thread via instances of this Filter class.

However, if you need to construct Subject instances on separate (non request-processing) threads, it might be easiest to enable the SecurityManager to be available in static memory via the SecurityUtils.getSecurityManager() method. You can do this by additionally specifying an init-param: 

 <filter>
     ... other config here ...
     <init-param>
         <param-name>staticSecurityManagerEnabled</param-name>
         <param-value>true</param-value>
     </init-param>
 </filter>
See the Shiro Subject documentation for more information as to if you would do this, particularly the sections on the Subject.Builder and Thread Association.
Since:
1.0
See Also:

  • Constructor Details

  • Method Details

    • getSecurityManager

      public WebSecurityManager getSecurityManager()

    • setSecurityManager

      public void setSecurityManager(WebSecurityManager sm)

    • getFilterChainResolver

      public FilterChainResolver getFilterChainResolver()

    • setFilterChainResolver

      public void setFilterChainResolver(FilterChainResolver filterChainResolver)

    • setShiroFilterConfiguration

      public void setShiroFilterConfiguration(ShiroFilterConfiguration config)

    • isStaticSecurityManagerEnabled

      public boolean isStaticSecurityManagerEnabled()
      Returns true if the constructed securityManager reference should be bound to static memory (via SecurityUtils.setSecurityManager), false otherwise.

      The default value is false.

      Returns:
      true if the constructed securityManager reference should be bound to static memory (via SecurityUtils.setSecurityManager), false otherwise.
      Since:
      1.2
      See Also:

    • setStaticSecurityManagerEnabled

      public void setStaticSecurityManagerEnabled(boolean staticSecurityManagerEnabled)
      Sets if the constructed securityManager reference should be bound to static memory (via SecurityUtils. setSecurityManager).

      The default value is false.

      Parameters:
      staticSecurityManagerEnabled - if the constructed securityManager reference should be bound to static memory (via SecurityUtils. setSecurityManager).
      Since:
      1.2
      See Also:

    • onFilterConfigSet

      protected final void onFilterConfigSet() throws Exception
      Description copied from class: AbstractFilter
      Template method to be overridden by subclasses to perform initialization logic at start-up. The ServletContext and FilterConfig will be accessible (and non-null) at the time this method is invoked via the getServletContext() and getFilterConfig() methods respectively.

      init-param values may be conveniently obtained via the AbstractFilter.getInitParam(String) method.

      Overrides:
      onFilterConfigSet in class AbstractFilter
      Throws:
      Exception - if the subclass has an error upon initialization.

    • init

      public void init() throws Exception
      Throws:
      Exception

    • createDefaultSecurityManager

      protected WebSecurityManager createDefaultSecurityManager()

    • isHttpSessions

      protected boolean isHttpSessions()

    • wrapServletRequest

      protected javax.servlet.ServletRequest wrapServletRequest(javax.servlet.http.HttpServletRequest orig)
      Wraps the original HttpServletRequest in a ShiroHttpServletRequest, which is required for supporting Servlet Specification behavior backed by a Subject instance.
      Parameters:
      orig - the original Servlet Container-provided incoming HttpServletRequest instance.
      Returns:
      ShiroHttpServletRequest instance wrapping the original.
      Since:
      1.0

    • prepareServletRequest

      protected javax.servlet.ServletRequest prepareServletRequest(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)
      Prepares the ServletRequest instance that will be passed to the FilterChain for request processing.

      If the ServletRequest is an instance of HttpServletRequest, the value returned from this method is obtained by calling wrapServletRequest(javax.servlet.http.HttpServletRequest) to allow Shiro-specific HTTP behavior, otherwise the original ServletRequest argument is returned.

      Parameters:
      request - the incoming ServletRequest
      response - the outgoing ServletResponse
      chain - the Servlet Container provided FilterChain that will receive the returned request.
      Returns:
      the ServletRequest instance that will be passed to the FilterChain for request processing.
      Since:
      1.0

    • wrapServletResponse

      protected javax.servlet.ServletResponse wrapServletResponse(javax.servlet.http.HttpServletResponse orig, ShiroHttpServletRequest request)
      Returns a new ShiroHttpServletResponse instance, wrapping the orig argument, in order to provide correct URL rewriting behavior required by the Servlet Specification when using Shiro-based sessions (and not Servlet Container HTTP-based sessions).
      Parameters:
      orig - the original HttpServletResponse instance provided by the Servlet Container.
      request - the ShiroHttpServletRequest instance wrapping the original request.
      Returns:
      the wrapped ServletResponse instance to use during FilterChain execution.
      Since:
      1.0

    • prepareServletResponse

      protected javax.servlet.ServletResponse prepareServletResponse(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)
      Prepares the ServletResponse instance that will be passed to the FilterChain for request processing.

      This implementation delegates to wrapServletRequest(javax.servlet.http.HttpServletRequest) only if Shiro-based sessions are enabled (that is, !isHttpSessions()) and the request instance is a ShiroHttpServletRequest. This ensures that any URL rewriting that occurs is handled correctly using the Shiro-managed Session's sessionId and not a servlet container session ID.

      If HTTP-based sessions are enabled (the default), then this method does nothing and just returns the ServletResponse argument as-is, relying on the default Servlet Container URL rewriting logic.

      Parameters:
      request - the incoming ServletRequest
      response - the outgoing ServletResponse
      chain - the Servlet Container provided FilterChain that will receive the returned request.
      Returns:
      the ServletResponse instance that will be passed to the FilterChain during request processing.
      Since:
      1.0

    • createSubject

      protected WebSubject createSubject(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response)
      Creates a WebSubject instance to associate with the incoming request/response pair which will be used throughout the request/response execution.
      Parameters:
      request - the incoming ServletRequest
      response - the outgoing ServletResponse
      Returns:
      the WebSubject instance to associate with the request/response execution
      Since:
      1.0

    • updateSessionLastAccessTime

      protected void updateSessionLastAccessTime(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response)
      Updates any 'native' Session's last access time that might exist to the timestamp when this method is called. If native sessions are not enabled (that is, standard Servlet container sessions are being used) or there is no session (subject.getSession(false) == null), this method does nothing.

      This method implementation merely calls Session.touch() on the session.

      Parameters:
      request - incoming request - ignored, but available to subclasses that might wish to override this method
      response - outgoing response - ignored, but available to subclasses that might wish to override this method
      Since:
      1.0

    • doFilterInternal

      protected void doFilterInternal(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain chain) throws javax.servlet.ServletException, IOException
      doFilterInternal implementation that sets-up, executes, and cleans-up a Shiro-filtered request. It performs the following ordered operations:
      1. Prepares the incoming ServletRequest for use during Shiro's processing
      2. Prepares the outgoing ServletResponse for use during Shiro's processing
      3. Creates a Subject instance based on the specified request/response pair.
      4. Finally executes the updateSessionLastAccessTime(javax.servlet.ServletRequest, javax.servlet.ServletResponse) and executeChain(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain) methods

      The Subject.execute(Runnable) call in step #4 is used as an implementation technique to guarantee proper thread binding and restoration is completed successfully.

      Specified by:
      doFilterInternal in class OncePerRequestFilter
      Parameters:
      servletRequest - the incoming ServletRequest
      servletResponse - the outgoing ServletResponse
      chain - the container-provided FilterChain to execute
      Throws:
      IOException - if an IO error occurs
      javax.servlet.ServletException - if a Throwable other than an IOException

    • getExecutionChain

      protected javax.servlet.FilterChain getExecutionChain(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain origChain)
      Returns the FilterChain to execute for the given request.

      The origChain argument is the original FilterChain supplied by the Servlet Container, but it may be modified to provide more behavior by pre-pending further chains according to the Shiro configuration.

      This implementation returns the chain that will actually be executed by acquiring the chain from a filterChainResolver. The resolver determines exactly which chain to execute, typically based on URL configuration. If no chain is returned from the resolver call (returns null), then the origChain will be returned by default.

      Parameters:
      request - the incoming ServletRequest
      response - the outgoing ServletResponse
      origChain - the original FilterChain provided by the Servlet Container
      Returns:
      the FilterChain to execute for the given request
      Since:
      1.0

    • executeChain

      protected void executeChain(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain origChain) throws IOException, javax.servlet.ServletException
      Executes a FilterChain for the given request.

      This implementation first delegates to getExecutionChain to allow the application's Shiro configuration to determine exactly how the chain should execute. The resulting value from that call is then executed directly by calling the returned FilterChain's doFilter method. That is: 

       FilterChain chain = getExecutionChain(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)(request, response, origChain);
 chain.doFilter(request,response);
      Parameters:
      request - the incoming ServletRequest
      response - the outgoing ServletResponse
      origChain - the Servlet Container-provided chain that may be wrapped further by an application-configured chain of Filters.
      Throws:
      IOException - if the underlying chain.doFilter call results in an IOException
      javax.servlet.ServletException - if the underlying chain.doFilter call results in a ServletException
      Since:
      1.0