LoggingShiroFilter.java

/*
 * Copyright (C) 2014 Intel Corporation
 * All rights reserved.
 */
package com.intel.mtwilson.shiro;

import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.servlet.ShiroFilter;

/**
 * When using ShiroFilter, the subject is supposed to be automatically cleared
 * after the request processing {@link https://shiro.apache.org/subject.html}.
 * If it appears this isn't happening you can use this LoggingShiroFilter to
 * inspect the subject immediately before and after request execution.
 *
 * @author jbuhacoff
 */
public class LoggingShiroFilter extends ShiroFilter {

    private static final org.slf4j.Logger log = org.slf4j.LoggerFactory.getLogger(LoggingShiroFilter.class);

    @Override
    protected void executeChain(ServletRequest request, ServletResponse response, FilterChain origChain)
            throws IOException, ServletException {
        Subject subject = SecurityUtils.getSubject();
        log.debug("before executeChain subject authenticated? {}", subject.isAuthenticated()); // should be false!    but is true on second request...
        super.executeChain(request, response, origChain);
        log.debug("after executeChain subject authenticated? {}", subject.isAuthenticated()); // should be true!
        subject.logout();
        log.debug("after executeChain logout subject authenticated? {}", subject.isAuthenticated()); // should be true!
    }

    @Override
    protected void doFilterInternal(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain) throws ServletException, IOException {
        try {
            log.debug("before doFilterInternal");
            // parent class initializes the subject in its doFilterInternal so there is nothing to log before parent executes
            super.doFilterInternal(servletRequest, servletResponse, chain);
//            Subject subject = SecurityUtils.getSubject();
//            log.debug("after doFilterInternal subject authenticated? {}", subject.isAuthenticated()); // should be false!   never get here...
            log.debug("after doFilterInternal; subject not bound to thread at this point");
        } finally {
//            Subject subject = SecurityUtils.getSubject();
//            log.debug("finally after doFilterInternal subject authenticated? {}", subject.isAuthenticated()); // should be false!
            log.debug("finally after doFilterInternal; subject not bound to thread at this point");
        }
    }
}