/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.shiro.web.filter.authz;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.StringUtils;
import org.apache.shiro.web.filter.AccessControlFilter;
import org.apache.shiro.web.util.WebUtils;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
* Superclass for authorization-related filters. If an request is unauthorized, response handling is delegated to the
* {@link #onAccessDenied(javax.servlet.ServletRequest, javax.servlet.ServletResponse) onAccessDenied} method, which
* provides reasonable handling for most applications.
*
* @see #onAccessDenied(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
* @since 0.9
*/
public abstract class AuthorizationFilter extends AccessControlFilter {
/**
* The URL to which users should be redirected if they are denied access to an underlying path or resource,
* {@code null} by default which will issue a raw {@link HttpServletResponse#SC_UNAUTHORIZED} response
* (401 Unauthorized).
*/
private String unauthorizedUrl;
/**
* Returns the URL to which users should be redirected if they are denied access to an underlying path or resource,
* or {@code null} if a raw {@link HttpServletResponse#SC_UNAUTHORIZED} response should be issued (401 Unauthorized).
* <p/>
* The default is {@code null}, ensuring default web server behavior. Override this default by calling the
* {@link #setUnauthorizedUrl(String) setUnauthorizedUrl} method with a meaningful path within your application
* if you would like to show the user a 'nice' page in the event of unauthorized access.
*
* @return the URL to which users should be redirected if they are denied access to an underlying path or resource,
* or {@code null} if a raw {@link HttpServletResponse#SC_UNAUTHORIZED} response should be issued (401 Unauthorized).
*/
public String getUnauthorizedUrl() {
return unauthorizedUrl;
}
/**
* Sets the URL to which users should be redirected if they are denied access to an underlying path or resource.
* <p/>
* If the value is {@code null} a raw {@link HttpServletResponse#SC_UNAUTHORIZED} response will
* be issued (401 Unauthorized), retaining default web server behavior.
* <p/>
* Unless overridden by calling this method, the default value is {@code null}. If desired, you can specify a
* meaningful path within your application if you would like to show the user a 'nice' page in the event of
* unauthorized access.
*
* @param unauthorizedUrl the URL to which users should be redirected if they are denied access to an underlying
* path or resource, or {@code null} to a ensure raw {@link HttpServletResponse#SC_UNAUTHORIZED} response is
* issued (401 Unauthorized).
*/
public void setUnauthorizedUrl(String unauthorizedUrl) {
this.unauthorizedUrl = unauthorizedUrl;
}
/**
* Handles the response when access has been denied. It behaves as follows:
* <ul>
* <li>If the {@code Subject} is unknown<sup><a href="#known">[1]</a></sup>:
* <ol><li>The incoming request will be saved and they will be redirected to the login page for authentication
* (via the {@link #saveRequestAndRedirectToLogin(javax.servlet.ServletRequest, javax.servlet.ServletResponse)}
* method).</li>
* <li>Once successfully authenticated, they will be redirected back to the originally attempted page.</li></ol>
* </li>
* <li>If the Subject is known:</li>
* <ol>
* <li>The HTTP {@link HttpServletResponse#SC_UNAUTHORIZED} header will be set (401 Unauthorized)</li>
* <li>If the {@link #getUnauthorizedUrl() unauthorizedUrl} has been configured, a redirect will be issued to that
* URL. Otherwise the 401 response is rendered normally</li>
* </ul>
* <code><a name="known">[1]</a></code>: A {@code Subject} is 'known' when
* <code>subject.{@link org.apache.shiro.subject.Subject#getPrincipal() getPrincipal()}</code> is not {@code null},
* which implicitly means that the subject is either currently authenticated or they have been remembered via
* 'remember me' services.
*
* @param request the incoming <code>ServletRequest</code>
* @param response the outgoing <code>ServletResponse</code>
* @return {@code false} always for this implementation.
* @throws IOException if there is any servlet error.
*/
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws IOException {
Subject subject = getSubject(request, response);
// If the subject isn't identified, redirect to login URL
if (subject.getPrincipal() == null) {
saveRequestAndRedirectToLogin(request, response);
} else {
// If subject is known but not authorized, redirect to the unauthorized URL if there is one
// If no unauthorized URL is specified, just return an unauthorized HTTP status code
String unauthorizedUrl = getUnauthorizedUrl();
//SHIRO-142 - ensure that redirect _or_ error code occurs - both cannot happen due to response commit:
if (StringUtils.hasText(unauthorizedUrl)) {
WebUtils.issueRedirect(request, response, unauthorizedUrl);
} else {
WebUtils.toHttp(response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
}
}
return false;
}
}