Package org.craftercms.security.servlet.filters

Class RequestSecurityFilter

  • All Implemented Interfaces:
    javax.servlet.Filter, SecurityEnabledAware, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware
    public class RequestSecurityFilter
extends org.springframework.web.filter.GenericFilterBean
implements SecurityEnabledAware
    Filter for running security. Uses a list of RequestSecurityProcessor. The last processor should basically call the filter chain.
    Author:
    Alfonso Vásquez

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected org.craftercms.commons.http.RequestContext createRequestContext​(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
      Returns a new RequestContext, using the specified HttpServletRequest and HttpServletResponse.
      void doFilter​(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)
      If securityEnabled, passes the request through the chain of RequestSecurityProcessors, depending if the request URL matches or not the urlsToInclude or the urlsToExclude.
      protected void doFilterInternal​(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain chain)
      Passes the request through the chain of RequestSecurityProcessors.
      protected boolean excludeRequest​(javax.servlet.http.HttpServletRequest request)
      Returns trues if the request should be excluded from processing.
      protected RequestSecurityProcessor getLastProcessorInChain​(javax.servlet.FilterChain chain)
      Returns the last processor of the chain, which should actually call the FilterChain.
      protected boolean includeRequest​(javax.servlet.http.HttpServletRequest request)
      Returns trues if the request should be included for processing.
      void setSecurityEnabled​(boolean securityEnabled)
      Sets if security is enabled or disabled.
      void setSecurityProcessors​(List<RequestSecurityProcessor> securityProcessors)
      Sets the chain of RequestSecurityProcessor.
      void setUrlsToExclude​(String... urlsToExclude)
      Sets the regular expressions used to match the URLs of requests that should NOT be processed by the security chain.
      void setUrlsToInclude​(String... urlsToInclude)
      Sets the regular expressions used to match the URLs of requests that should be processed by the security chain.

      • Methods inherited from class org.springframework.web.filter.GenericFilterBean

        addRequiredProperty, afterPropertiesSet, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

    • Field Detail

      • securityEnabled

        protected boolean securityEnabled

      • urlsToInclude

        protected String[] urlsToInclude

      • urlsToExclude

        protected String[] urlsToExclude

      • pathMatcher

        protected org.springframework.util.PathMatcher pathMatcher

    • Constructor Detail

      • RequestSecurityFilter

        public RequestSecurityFilter()

    • Method Detail

      • setSecurityEnabled

        public void setSecurityEnabled​(boolean securityEnabled)
        Sets if security is enabled or disabled. If disabled, the security processor chain is not run.
        Specified by:
        setSecurityEnabled in interface SecurityEnabledAware

      • setUrlsToInclude

        public void setUrlsToInclude​(String... urlsToInclude)
        Sets the regular expressions used to match the URLs of requests that should be processed by the security chain.

      • setUrlsToExclude

        public void setUrlsToExclude​(String... urlsToExclude)
        Sets the regular expressions used to match the URLs of requests that should NOT be processed by the security chain.

      • doFilter

        public void doFilter​(javax.servlet.ServletRequest request,
                     javax.servlet.ServletResponse response,
                     javax.servlet.FilterChain chain)
              throws IOException,
                     javax.servlet.ServletException
        If securityEnabled, passes the request through the chain of RequestSecurityProcessors, depending if the request URL matches or not the urlsToInclude or the urlsToExclude. The last processor of the chain calls the actual filter chain.
        Specified by:
        doFilter in interface javax.servlet.Filter
        Parameters:
        request -
        response -
        chain -
        Throws:
        IOException
        javax.servlet.ServletException

      • doFilterInternal

        protected void doFilterInternal​(javax.servlet.http.HttpServletRequest request,
                                javax.servlet.http.HttpServletResponse response,
                                javax.servlet.FilterChain chain)
                         throws IOException,
                                javax.servlet.ServletException
        Passes the request through the chain of RequestSecurityProcessors.
        Parameters:
        request -
        response -
        chain -
        Throws:
        IOException
        javax.servlet.ServletException

      • excludeRequest

        protected boolean excludeRequest​(javax.servlet.http.HttpServletRequest request)
        Returns trues if the request should be excluded from processing.

      • includeRequest

        protected boolean includeRequest​(javax.servlet.http.HttpServletRequest request)
        Returns trues if the request should be included for processing.

      • createRequestContext

        protected org.craftercms.commons.http.RequestContext createRequestContext​(javax.servlet.http.HttpServletRequest request,
                                                                          javax.servlet.http.HttpServletResponse response)
        Returns a new RequestContext, using the specified HttpServletRequest and HttpServletResponse.

      • getLastProcessorInChain

        protected RequestSecurityProcessor getLastProcessorInChain​(javax.servlet.FilterChain chain)
        Returns the last processor of the chain, which should actually call the FilterChain.