public SslFilter() { setPort(DEFAULT_HTTPS_PORT); }
/** * Returns a collection of String permissions with which to perform a permission check to determine if the filter * will allow the request to continue. * <p/> * This implementation merely delegates to {@link #buildPermissions(String[], String)} and ignores the inbound * HTTP servlet request, but it can be overridden by subclasses for more complex request-specific building logic * if necessary. * * @param request the inbound HTTP request - ignored in this implementation, but available to * subclasses for more complex construction building logic if necessary * @param configuredPerms any url-specific permissions mapped to this filter in the URL rules mappings. * @param action the application-friendly action (verb) resolved based on the HTTP Method name. * @return a collection of String permissions with which to perform a permission check to determine if the filter * will allow the request to continue. */ protected String[] buildPermissions(HttpServletRequest request, String[] configuredPerms, String action) { return buildPermissions(configuredPerms, action); }
/** * Resolves an 'application friendly' action verb based on the {@code HttpServletRequest}'s method, appends that * action to each configured permission (the {@code mappedValue} argument is a {@code String[]} array), and * delegates the permission check for the newly constructed permission(s) to the superclass * {@link PermissionsAuthorizationFilter#isAccessAllowed(javax.servlet.ServletRequest, javax.servlet.ServletResponse, Object) isAccessAllowed} * implementation to perform the actual permission check. * * @param request the inbound {@code ServletRequest} * @param response the outbound {@code ServletResponse} * @param mappedValue the filter-specific config value mapped to this filter in the URL rules mappings. * @return {@code true} if the request should proceed through the filter normally, {@code false} if the * request should be processed by this filter's * {@link #onAccessDenied(ServletRequest,ServletResponse,Object)} method instead. * @throws IOException */ @Override public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws IOException { String[] perms = (String[]) mappedValue; // append the http action to the end of the permissions and then back to super String action = getHttpMethodAction(request); String[] resolvedPerms = buildPermissions(perms, action); return super.isAccessAllowed(request, response, resolvedPerms); } }
private void applyUnauthorizedUrlIfNecessary(Filter filter) { String unauthorizedUrl = getUnauthorizedUrl(); if (StringUtils.hasText(unauthorizedUrl) && (filter instanceof AuthorizationFilter)) { AuthorizationFilter authzFilter = (AuthorizationFilter) filter; //only apply the unauthorizedUrl if they haven't explicitly configured one already: String existingUnauthorizedUrl = authzFilter.getUnauthorizedUrl(); if (existingUnauthorizedUrl == null) { authzFilter.setUnauthorizedUrl(unauthorizedUrl); } } }
Subject subject = getSubject(request, response); saveRequestAndRedirectToLogin(request, response); } else { String unauthorizedUrl = getUnauthorizedUrl();
/** * Creates the filter instance with default method-to-action values in the instance's * {@link #getHttpMethodActions() http method actions map}. */ public HttpMethodPermissionFilter() { for (HttpMethodAction methodAction : HttpMethodAction.values()) { httpMethodActions.put(methodAction.name().toLowerCase(), methodAction.getAction()); } }
@Override protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws IOException { HttpServletResponse httpResponse ; try { httpResponse = WebUtils.toHttp(response); } catch (ClassCastException ex) { // Not a HTTP Servlet operation return super.onAccessDenied(request, response) ; } if ( message == null ) httpResponse.sendError(HttpSC.FORBIDDEN_403) ; else httpResponse.sendError(HttpSC.FORBIDDEN_403, message) ; return false ; // No further processing. } }
/** * Determines the action (verb) attempting to be performed on the filtered resource by the current request. * <p/> * This implementation expects the incoming request to be an {@link HttpServletRequest} and returns a mapped * action based on the HTTP request {@link javax.servlet.http.HttpServletRequest#getMethod() method}. * * @param request to pull the method from. * @return The string equivalent verb of the http method. */ protected String getHttpMethodAction(ServletRequest request) { String method = ((HttpServletRequest) request).getMethod(); return getHttpMethodAction(method); }
/** * Determines the corresponding application action that will be performed on the filtered resource based on the * specified HTTP method (GET, POST, etc). * * @param method to be translated into the verb. * @return The string equivalent verb of the method. */ protected String getHttpMethodAction(String method) { String lc = method.toLowerCase(); String resolved = getHttpMethodActions().get(lc); return resolved != null ? resolved : method; }
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception { int requiredPort = toPort(mappedValue); int requestPort = request.getServerPort(); return requiredPort == requestPort; }
/** * Retains the parent method's port-matching behavior but additionally guarantees that the *{@code ServletRequest.}{@link javax.servlet.ServletRequest#isSecure() isSecure()}. If the port does not match or * the request is not secure, access is denied. * * @param request the incoming {@code ServletRequest} * @param response the outgoing {@code ServletResponse} - ignored in this implementation * @param mappedValue the filter-specific config value mapped to this filter in the URL rules mappings - ignored by this implementation. * @return {@code true} if the request is received on an expected SSL port and the * {@code request.}{@link javax.servlet.ServletRequest#isSecure() isSecure()}, {@code false} otherwise. * @throws Exception if the call to {@code super.isAccessAllowed} throws an exception. * @since 1.2 */ @Override protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception { return super.isAccessAllowed(request, response, mappedValue) && request.isSecure(); } }
@SuppressWarnings({"unchecked"}) public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws IOException { Subject subject = getSubject(request, response); String[] rolesArray = (String[]) mappedValue; if (rolesArray == null || rolesArray.length == 0) { //no roles specified, so nothing to check - allow access. return true; } Set<String> roles = CollectionUtils.asSet(rolesArray); return subject.hasAllRoles(roles); }
protected int toPort(Object mappedValue) { String[] ports = (String[]) mappedValue; if (ports == null || ports.length == 0) { return getPort(); } if (ports.length > 1) { throw new ConfigurationException("PortFilter can only be configured with a single port. You have " + "configured " + ports.length + ": " + StringUtils.toString(ports)); } return Integer.parseInt(ports[0]); }
public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws IOException { Subject subject = getSubject(request, response); String[] perms = (String[]) mappedValue; boolean isPermitted = true; if (perms != null && perms.length > 0) { if (perms.length == 1) { if (!subject.isPermitted(perms[0])) { isPermitted = false; } } else { if (!subject.isPermittedAll(perms)) { isPermitted = false; } } } return isPermitted; } }
@Override public boolean onPreHandle(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception { boolean status = super.onPreHandle(request, response, mappedValue); if(Redis.getSession() == null || !status){ return false; } return true; } }
private void applyUnauthorizedUrlIfNecessary(Filter filter) { String unauthorizedUrl = GojaConfig.getProperty("shiro.unauthorizedUrl", "/"); if (StringUtils.hasText(unauthorizedUrl) && (filter instanceof AuthorizationFilter)) { AuthorizationFilter authzFilter = (AuthorizationFilter) filter; //only apply the unauthorizedUrl if they haven't explicitly configured one already: String existingUnauthorizedUrl = authzFilter.getUnauthorizedUrl(); if (existingUnauthorizedUrl == null) { authzFilter.setUnauthorizedUrl(unauthorizedUrl); } } }
@Override protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws IOException { HttpServletResponse httpResponse ; try { httpResponse = WebUtils.toHttp(response); } catch (ClassCastException ex) { // Not a HTTP Servlet operation return super.onAccessDenied(request, response) ; } if ( message == null ) httpResponse.sendError(HttpSC.FORBIDDEN_403) ; else httpResponse.sendError(HttpSC.FORBIDDEN_403, message) ; return false ; // No further processing. } }
private void applyUnauthorizedUrlIfNecessary(Filter filter) { String unauthorizedUrl = getUnauthorizedUrl(); if (StringUtils.hasText(unauthorizedUrl) && (filter instanceof AuthorizationFilter)) { AuthorizationFilter authzFilter = (AuthorizationFilter) filter; //only apply the unauthorizedUrl if they haven't explicitly configured one already: String existingUnauthorizedUrl = authzFilter.getUnauthorizedUrl(); if (existingUnauthorizedUrl == null) { authzFilter.setUnauthorizedUrl(unauthorizedUrl); } } }
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws IOException { if (RequestUtils.shouldUseNormalHttpRequestToProcess(request, requestProperties.isServiceOriented())) return super.onAccessDenied(request, response); Subject subject = getSubject(request, response); if (subject.getPrincipal() == null) { ResponseUtils.responseInvalidLogin(response, requestProperties.getInvalidLoginCode()); } else { ResponseUtils.responseInvalidPermission(response, requestProperties.getInvalidPermissionCode()); } return false; }