Package org.apache.shiro.spring.web
Class ShiroFilterFactoryBean
java.lang.Object
org.apache.shiro.spring.web.ShiroFilterFactoryBean
- All Implemented Interfaces:
org.springframework.beans.factory.config.BeanPostProcessor
,org.springframework.beans.factory.FactoryBean
public class ShiroFilterFactoryBean
extends Object
implements org.springframework.beans.factory.FactoryBean, org.springframework.beans.factory.config.BeanPostProcessor
FactoryBean
to be used in Spring-based web applications for
defining the master Shiro Filter.
Usage
Declare a DelegatingFilterProxy inweb.xml
, matching the filter name to the bean id:
<filter> <filter-name>shiroFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy<filter-class> <init-param> <param-name>targetFilterLifecycle</param-name> <param-value>true</param-value> </init-param> </filter>Then, in your spring XML file that defines your web ApplicationContext:
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager"/> <!-- other properties as necessary ... --> </bean>
Filter Auto-Discovery
While there is afilters
property that allows you to assign a filter beans
to the 'pool' of filters available when defining filter chains
, it is
optional.
This implementation is also a BeanPostProcessor
and will acquire
any Filter
beans defined independently in your Spring application context. Upon
discovery, they will be automatically added to the map
keyed by the bean ID.
That ID can then be used in the filter chain definitions, for example:
<bean id="myCustomFilter" class="com.class.that.implements.javax.servlet.Filter"/> ... <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> ... <property name="filterChainDefinitions"> <value> /some/path/** = authc, myCustomFilter </value> </property> </bean>
Global Property Values
Most Shiro servlet Filter implementations exist for defining custom Filterchain definitions
. Most implementations subclass one of the
AccessControlFilter
, AuthenticationFilter
, AuthorizationFilter
classes to simplify things,
and each of these 3 classes has configurable properties that are application-specific.
A dilemma arises where, if you want to for example set the application's 'loginUrl' for any Filter, you don't want
to have to manually specify that value for each filter instance defined.
To prevent configuration duplication, this implementation provides the following properties to allow you
to set relevant values in only one place:
Then at startup, any values specified via these 3 properties will be applied to all configured
Filter instances so you don't have to specify them individually on each filter instance. To ensure your own custom
filters benefit from this convenience, your filter implementation should subclass one of the 3 mentioned
earlier.- Since:
- 1.0
- See Also:
-
Field Summary
Fields inherited from interface org.springframework.beans.factory.FactoryBean
OBJECT_TYPE_ATTRIBUTE
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected org.apache.shiro.web.filter.mgt.FilterChainManager
protected org.apache.shiro.web.servlet.AbstractShiroFilter
This implementation: Ensures the requiredsecurityManager
property has been setCreates
aFilterChainManager
instance that reflects the configuredfilters
andfilter chain definitions
Wraps the FilterChainManager with a suitableFilterChainResolver
since the Shiro Filter implementations do not know ofFilterChainManager
s Sets both theSecurityManager
andFilterChainResolver
instances on a new Shiro Filter instance and returns that filter instance.Returns the chainName-to-chainDefinition map of chain definitions to use for creating filter chains intercepted by the Shiro Filter.Returns the filterName-to-Filter map of filters available for reference when defining filter chain definitions.Returns the application's login URL to be assigned to all acquired Filters that subclassAccessControlFilter
ornull
if no value should be assigned globally.Lazily creates and returns aAbstractShiroFilter
concrete instance via thecreateInstance()
method.ReturnsAbstractShiroFilter
.classorg.apache.shiro.mgt.SecurityManager
Gets the applicationSecurityManager
instance to be used by the constructed Shiro Filter.org.apache.shiro.web.config.ShiroFilterConfiguration
Gets the applicationShiroFilterConfiguration
instance to be used by the constructed Shiro Filter.Returns the application's after-login success URL to be assigned to all acquired Filters that subclassAuthenticationFilter
ornull
if no value should be assigned globally.Returns the application's after-login success URL to be assigned to all acquired Filters that subclassAuthenticationFilter
ornull
if no value should be assigned globally.boolean
Returnstrue
always.postProcessAfterInitialization
(Object bean, String beanName) Does nothing - only exists to satisfy the BeanPostProcessor interface and immediately returns thebean
argument.postProcessBeforeInitialization
(Object bean, String beanName) Inspects a bean, and if it implements theFilter
interface, automatically adds that filter instance to the internalfilters map
that will be referenced later during filter chain construction.void
setFilterChainDefinitionMap
(Map<String, String> filterChainDefinitionMap) Sets the chainName-to-chainDefinition map of chain definitions to use for creating filter chains intercepted by the Shiro Filter.void
setFilterChainDefinitions
(String definitions) A convenience method that sets thefilterChainDefinitionMap
property by accepting aProperties
-compatible string (multi-line key/value pairs).void
setFilters
(Map<String, javax.servlet.Filter> filters) Sets the filterName-to-Filter map of filters available for reference when creatingfilter chain definitions
.void
setGlobalFilters
(List<String> globalFilters) Sets the list of filters that will be executed against every request.void
setLoginUrl
(String loginUrl) Sets the application's login URL to be assigned to all acquired Filters that subclassAccessControlFilter
.void
setSecurityManager
(org.apache.shiro.mgt.SecurityManager securityManager) Sets the applicationSecurityManager
instance to be used by the constructed Shiro Filter.void
setShiroFilterConfiguration
(org.apache.shiro.web.config.ShiroFilterConfiguration filterConfiguration) Sets the applicationShiroFilterConfiguration
instance to be used by the constructed Shiro Filter.void
setSuccessUrl
(String successUrl) Sets the application's after-login success URL to be assigned to all acquired Filters that subclassAuthenticationFilter
.void
setUnauthorizedUrl
(String unauthorizedUrl) Sets the application's 'unauthorized' URL to be assigned to all acquired Filters that subclassAuthorizationFilter
.
-
Constructor Details
-
ShiroFilterFactoryBean
public ShiroFilterFactoryBean()
-
-
Method Details
-
getSecurityManager
public org.apache.shiro.mgt.SecurityManager getSecurityManager()Gets the applicationSecurityManager
instance to be used by the constructed Shiro Filter. This is a required property - failure to set it will throw an initialization exception.- Returns:
- the application
SecurityManager
instance to be used by the constructed Shiro Filter.
-
setSecurityManager
public void setSecurityManager(org.apache.shiro.mgt.SecurityManager securityManager) Sets the applicationSecurityManager
instance to be used by the constructed Shiro Filter. This is a required property - failure to set it will throw an initialization exception.- Parameters:
securityManager
- the applicationSecurityManager
instance to be used by the constructed Shiro Filter.
-
getShiroFilterConfiguration
public org.apache.shiro.web.config.ShiroFilterConfiguration getShiroFilterConfiguration()Gets the applicationShiroFilterConfiguration
instance to be used by the constructed Shiro Filter.- Returns:
- the application
ShiroFilterConfiguration
instance to be used by the constructed Shiro Filter.
-
setShiroFilterConfiguration
public void setShiroFilterConfiguration(org.apache.shiro.web.config.ShiroFilterConfiguration filterConfiguration) Sets the applicationShiroFilterConfiguration
instance to be used by the constructed Shiro Filter.- Parameters:
filterConfiguration
- the applicationSecurityManager
instance to be used by the constructed Shiro Filter.
-
getLoginUrl
Returns the application's login URL to be assigned to all acquired Filters that subclassAccessControlFilter
ornull
if no value should be assigned globally. The default value isnull
.- Returns:
- the application's login URL to be assigned to all acquired Filters that subclass
AccessControlFilter
ornull
if no value should be assigned globally. - See Also:
-
setLoginUrl
Sets the application's login URL to be assigned to all acquired Filters that subclassAccessControlFilter
. This is a convenience mechanism: for all configuredfilters
, as well for any default ones (authc
,user
, etc.), this value will be passed on to each Filter via theAccessControlFilter.setLoginUrl(String)
method*. This eliminates the need to configure the 'loginUrl' property manually on each filter instance, and instead that can be configured once via this attribute. *If a filter already has already been explicitly configured with a value, it will not receive this value. Individual filter configuration overrides this global convenience property.- Parameters:
loginUrl
- the application's login URL to apply to as a convenience to all discoveredAccessControlFilter
instances.- See Also:
-
getSuccessUrl
Returns the application's after-login success URL to be assigned to all acquired Filters that subclassAuthenticationFilter
ornull
if no value should be assigned globally. The default value isnull
.- Returns:
- the application's after-login success URL to be assigned to all acquired Filters that subclass
AuthenticationFilter
ornull
if no value should be assigned globally. - See Also:
-
setSuccessUrl
Sets the application's after-login success URL to be assigned to all acquired Filters that subclassAuthenticationFilter
. This is a convenience mechanism: for all configuredfilters
, as well for any default ones (authc
,user
, etc.), this value will be passed on to each Filter via theAuthenticationFilter.setSuccessUrl(String)
method*. This eliminates the need to configure the 'successUrl' property manually on each filter instance, and instead that can be configured once via this attribute. *If a filter already has already been explicitly configured with a value, it will not receive this value. Individual filter configuration overrides this global convenience property.- Parameters:
successUrl
- the application's after-login success URL to apply to as a convenience to all discoveredAccessControlFilter
instances.- See Also:
-
getUnauthorizedUrl
Returns the application's after-login success URL to be assigned to all acquired Filters that subclassAuthenticationFilter
ornull
if no value should be assigned globally. The default value isnull
.- Returns:
- the application's after-login success URL to be assigned to all acquired Filters that subclass
AuthenticationFilter
ornull
if no value should be assigned globally. - See Also:
-
setUnauthorizedUrl
Sets the application's 'unauthorized' URL to be assigned to all acquired Filters that subclassAuthorizationFilter
. This is a convenience mechanism: for all configuredfilters
, as well for any default ones (roles
,perms
, etc.), this value will be passed on to each Filter via theAuthorizationFilter.setUnauthorizedUrl(String)
method*. This eliminates the need to configure the 'unauthorizedUrl' property manually on each filter instance, and instead that can be configured once via this attribute. *If a filter already has already been explicitly configured with a value, it will not receive this value. Individual filter configuration overrides this global convenience property.- Parameters:
unauthorizedUrl
- the application's 'unauthorized' URL to apply to as a convenience to all discoveredAuthorizationFilter
instances.- See Also:
-
getFilters
Returns the filterName-to-Filter map of filters available for reference when defining filter chain definitions. All filter chain definitions will reference filters by the names in this map (i.e. the keys).- Returns:
- the filterName-to-Filter map of filters available for reference when defining filter chain definitions.
-
setFilters
Sets the filterName-to-Filter map of filters available for reference when creatingfilter chain definitions
. Note: This property is optional: thisFactoryBean
implementation will discover all beans in the web application context that implement theFilter
interface and automatically add them to this filter map under their bean name. For example, just defining this bean in a web Spring XML application context:<bean id="myFilter" class="com.class.that.implements.javax.servlet.Filter"> ... </bean>
Will automatically place that bean into this Filters map under the key 'myFilter'.- Parameters:
filters
- the optional filterName-to-Filter map of filters available for reference when creating(java.util.Map) filter chain definitions
.
-
getFilterChainDefinitionMap
Returns the chainName-to-chainDefinition map of chain definitions to use for creating filter chains intercepted by the Shiro Filter. Each map entry should conform to the format defined by theFilterChainManager.createChain(String, String)
JavaDoc, where the map key is the chain name (e.g. URL path expression) and the map value is the comma-delimited string chain definition.- Returns:
- he chainName-to-chainDefinition map of chain definitions to use for creating filter chains intercepted by the Shiro Filter.
-
setFilterChainDefinitionMap
Sets the chainName-to-chainDefinition map of chain definitions to use for creating filter chains intercepted by the Shiro Filter. Each map entry should conform to the format defined by theFilterChainManager.createChain(String, String)
JavaDoc, where the map key is the chain name (e.g. URL path expression) and the map value is the comma-delimited string chain definition.- Parameters:
filterChainDefinitionMap
- the chainName-to-chainDefinition map of chain definitions to use for creating filter chains intercepted by the Shiro Filter.
-
setFilterChainDefinitions
A convenience method that sets thefilterChainDefinitionMap
property by accepting aProperties
-compatible string (multi-line key/value pairs). Each key/value pair must conform to the format defined by theFilterChainManager.createChain(String,String)
JavaDoc - each property key is an ant URL path expression and the value is the comma-delimited chain definition.- Parameters:
definitions
- aProperties
-compatible string (multi-line key/value pairs) where each key/value pair represents a single urlPathExpression-commaDelimitedChainDefinition.
-
setGlobalFilters
Sets the list of filters that will be executed against every request. Defaults to theInvalidRequestFilter
which will block known invalid request attacks.- Parameters:
globalFilters
- the list of filters to execute before specific path filters.
-
getObject
Lazily creates and returns aAbstractShiroFilter
concrete instance via thecreateInstance()
method.- Specified by:
getObject
in interfaceorg.springframework.beans.factory.FactoryBean
- Returns:
- the application's Shiro Filter instance used to filter incoming web requests.
- Throws:
Exception
- if there is a problem creating theFilter
instance.
-
getObjectType
ReturnsAbstractShiroFilter
.class- Specified by:
getObjectType
in interfaceorg.springframework.beans.factory.FactoryBean
- Returns:
AbstractShiroFilter
.class
-
isSingleton
public boolean isSingleton()Returnstrue
always. There is almost always only ever 1 ShiroFilter
per web application.- Specified by:
isSingleton
in interfaceorg.springframework.beans.factory.FactoryBean
- Returns:
true
always. There is almost always only ever 1 ShiroFilter
per web application.
-
createFilterChainManager
protected org.apache.shiro.web.filter.mgt.FilterChainManager createFilterChainManager() -
createInstance
This implementation:- Ensures the required
securityManager
property has been set Creates
aFilterChainManager
instance that reflects the configuredfilters
andfilter chain definitions
- Wraps the FilterChainManager with a suitable
FilterChainResolver
since the Shiro Filter implementations do not know ofFilterChainManager
s - Sets both the
SecurityManager
andFilterChainResolver
instances on a new Shiro Filter instance and returns that filter instance.
- Returns:
- a new Shiro Filter reflecting any configured filters and filter chain definitions.
- Throws:
Exception
- if there is a problem creating the AbstractShiroFilter instance.
- Ensures the required
-
postProcessBeforeInitialization
public Object postProcessBeforeInitialization(Object bean, String beanName) throws org.springframework.beans.BeansException Inspects a bean, and if it implements theFilter
interface, automatically adds that filter instance to the internalfilters map
that will be referenced later during filter chain construction.- Specified by:
postProcessBeforeInitialization
in interfaceorg.springframework.beans.factory.config.BeanPostProcessor
- Throws:
org.springframework.beans.BeansException
-
postProcessAfterInitialization
public Object postProcessAfterInitialization(Object bean, String beanName) throws org.springframework.beans.BeansException Does nothing - only exists to satisfy the BeanPostProcessor interface and immediately returns thebean
argument.- Specified by:
postProcessAfterInitialization
in interfaceorg.springframework.beans.factory.config.BeanPostProcessor
- Throws:
org.springframework.beans.BeansException
-