/** * Determines whether the current subject should be allowed to make the current request. * <p/> * The default implementation returns <code>true</code> if the user is authenticated. Will also return * <code>true</code> if the {@link #isLoginRequest} returns false and the "permissive" flag is set. * * @return <code>true</code> if request should be allowed access */ @Override protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) { return super.isAccessAllowed(request, response, mappedValue) || (!isLoginRequest(request, response) && isPermissive(mappedValue)); }
/** * Delegates to {@link #isLoginAttempt(javax.servlet.ServletRequest, javax.servlet.ServletResponse) isLoginAttempt}. */ @Override protected final boolean isLoginRequest(ServletRequest request, ServletResponse response) { return this.isLoginAttempt(request, response); }
protected AuthenticationToken createToken(ServletRequest request, ServletResponse response) { String username = getUsername(request); String password = getPassword(request); return createToken(username, password, request, response); }
/** * Processes unauthenticated requests. It handles the two-stage request/challenge authentication protocol. * * @param request incoming ServletRequest * @param response outgoing ServletResponse * @return true if the request should be processed; false if the request should not continue to be processed */ protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception { boolean loggedIn = false; //false by default or we wouldn't be in this method if (isLoginAttempt(request, response)) { loggedIn = executeLogin(request, response); } if (!loggedIn) { sendChallenge(request, response); } return loggedIn; }
/** * Determines whether the incoming request is an attempt to log in. * <p/> * The default implementation obtains the value of the request's * {@link #AUTHORIZATION_HEADER AUTHORIZATION_HEADER}, and if it is not <code>null</code>, delegates * to {@link #isLoginAttempt(String) isLoginAttempt(authzHeaderValue)}. If the header is <code>null</code>, * <code>false</code> is returned. * * @param request incoming ServletRequest * @param response outgoing ServletResponse * @return true if the incoming request is an attempt to log in based, false otherwise */ protected boolean isLoginAttempt(ServletRequest request, ServletResponse response) { String authzHeader = getAuthzHeader(request); return authzHeader != null && isLoginAttempt(authzHeader); }
@Override public void setLoginUrl(String loginUrl) { String previous = getLoginUrl(); if (previous != null) { this.appliedPaths.remove(previous); } super.setLoginUrl(loginUrl); if (log.isTraceEnabled()) { log.trace("Adding login url to applied paths."); } this.appliedPaths.put(getLoginUrl(), null); }
protected AuthenticationToken createToken(String username, String password, ServletRequest request, ServletResponse response) { boolean rememberMe = isRememberMe(request); String host = getHost(request); return createToken(username, password, rememberMe, host); }
/** * Redirects to user to the previously attempted URL after a successful login. This implementation simply calls * <code>{@link org.apache.shiro.web.util.WebUtils WebUtils}.{@link WebUtils#redirectToSavedRequest(javax.servlet.ServletRequest, javax.servlet.ServletResponse, String) redirectToSavedRequest}</code> * using the {@link #getSuccessUrl() successUrl} as the {@code fallbackUrl} argument to that call. * * @param request the incoming request * @param response the outgoing response * @throws Exception if there is a problem redirecting. */ protected void issueSuccessRedirect(ServletRequest request, ServletResponse response) throws Exception { WebUtils.redirectToSavedRequest(request, response, getSuccessUrl()); }
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception { if (isLoginRequest(request, response)) { return true; } else { saveRequestAndRedirectToLogin(request, response); return false; } }
/** * Returns the redirect URL to send the user after logout. This default implementation ignores the arguments and * returns the static configured {@link #getRedirectUrl() redirectUrl} property, but this method may be overridden * by subclasses to dynamically construct the URL based on the request or subject if necessary. * <p/> * Note: the Subject is <em>not</em> yet logged out at the time this method is invoked. You may access the Subject's * session if one is available and if necessary. * <p/> * Tip: if you need to access the Subject's session, consider using the * {@code Subject.}{@link Subject#getSession(boolean) getSession(false)} method to ensure a new session isn't created unnecessarily. * If a session would be created, it will be immediately stopped after logout, not providing any value and * unnecessarily taxing session infrastructure/resources. * * @param request the incoming Servlet request * @param response the outgoing ServletResponse * @param subject the not-yet-logged-out currently executing Subject * @return the redirect URL to send the user after logout. */ protected String getRedirectUrl(ServletRequest request, ServletResponse response, Subject subject) { return getRedirectUrl(); }
/** * Overrides the default behavior to call {@link #onAccessDenied} and swallow the exception if the exception is * {@link UnauthenticatedException}. */ @Override protected void cleanup(ServletRequest request, ServletResponse response, Exception existing) throws ServletException, IOException { if (existing instanceof UnauthenticatedException || (existing instanceof ServletException && existing.getCause() instanceof UnauthenticatedException)) { try { onAccessDenied(request, response); existing = null; } catch (Exception e) { existing = e; } } super.cleanup(request, response, existing); } }
protected boolean onLoginSuccess(AuthenticationToken token, Subject subject, ServletRequest request, ServletResponse response) throws Exception { issueSuccessRedirect(request, response); //we handled the success redirect directly, prevent the chain from continuing: return false; }
/** * This default implementation simply calls * {@link #saveRequestAndRedirectToLogin(javax.servlet.ServletRequest, javax.servlet.ServletResponse) saveRequestAndRedirectToLogin} * and then immediately returns <code>false</code>, thereby preventing the chain from continuing so the redirect may * execute. */ protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception { saveRequestAndRedirectToLogin(request, response); return false; } }
public FormAuthenticationFilter() { setLoginUrl(DEFAULT_LOGIN_URL); }
protected boolean onLoginFailure(AuthenticationToken token, AuthenticationException e, ServletRequest request, ServletResponse response) { if (log.isDebugEnabled()) { log.debug( "Authentication exception", e ); } setFailureAttribute(request, e); //login failed, let request continue back to the login page: return true; }
/** * Default implementation that returns <code>true</code> if the specified <code>authzHeader</code> * starts with the same (case-insensitive) characters specified by the * {@link #getAuthzScheme() authzScheme}, <code>false</code> otherwise. * <p/> * That is: * <p/> * <code>String authzScheme = getAuthzScheme().toLowerCase();<br/> * return authzHeader.toLowerCase().startsWith(authzScheme);</code> * * @param authzHeader the 'Authorization' header value (guaranteed to be non-null if the * {@link #isLoginAttempt(javax.servlet.ServletRequest, javax.servlet.ServletResponse)} method is not overriden). * @return <code>true</code> if the authzHeader value matches that configured as defined by * the {@link #getAuthzScheme() authzScheme}. */ protected boolean isLoginAttempt(String authzHeader) { //SHIRO-415: use English Locale: String authzScheme = getAuthzScheme().toLowerCase(Locale.ENGLISH); return authzHeader.toLowerCase(Locale.ENGLISH).startsWith(authzScheme); }
/** * Determines whether the current subject is authenticated. * <p/> * The default implementation {@link #getSubject(javax.servlet.ServletRequest, javax.servlet.ServletResponse) acquires} * the currently executing Subject and then returns * {@link org.apache.shiro.subject.Subject#isAuthenticated() subject.isAuthenticated()}; * * @return true if the subject is authenticated; false if the subject is unauthenticated */ protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) { Subject subject = getSubject(request, response); return subject.isAuthenticated(); }
protected boolean isRememberMe(ServletRequest request) { return WebUtils.isTrue(request, getRememberMeParam()); }
protected String getUsername(ServletRequest request) { return WebUtils.getCleanParam(request, getUsernameParam()); }
protected String getPassword(ServletRequest request) { return WebUtils.getCleanParam(request, getPasswordParam()); }