Google Git
Sign in
apache / shiro-site / 01016f43374d9b054f3ea1e568b015d5d69428f9 / . / src / site / assets / static / 1.11.0 / shiro-web / apidocs / src-html / org / apache / shiro / web / filter / authc / FormAuthenticationFilter.html
blob: 9a091e6cf581c9e7b0dd841181718cac7c9190c2 [file] [log] [blame]
<!DOCTYPE HTML>
<html lang="en">
<head>
<title>Source code</title>
<link rel="stylesheet" type="text/css" href="../../../../../../../stylesheet.css" title="Style">
</head>
<body>
<main role="main">
<div class="sourceContainer">
<pre><span class="sourceLineNo">001</span><a id="line.1">/*</a>
<span class="sourceLineNo">002</span><a id="line.2"> * Licensed to the Apache Software Foundation (ASF) under one</a>
<span class="sourceLineNo">003</span><a id="line.3"> * or more contributor license agreements. See the NOTICE file</a>
<span class="sourceLineNo">004</span><a id="line.4"> * distributed with this work for additional information</a>
<span class="sourceLineNo">005</span><a id="line.5"> * regarding copyright ownership. The ASF licenses this file</a>
<span class="sourceLineNo">006</span><a id="line.6"> * to you under the Apache License, Version 2.0 (the</a>
<span class="sourceLineNo">007</span><a id="line.7"> * "License"); you may not use this file except in compliance</a>
<span class="sourceLineNo">008</span><a id="line.8"> * with the License. You may obtain a copy of the License at</a>
<span class="sourceLineNo">009</span><a id="line.9"> *</a>
<span class="sourceLineNo">010</span><a id="line.10"> * http://www.apache.org/licenses/LICENSE-2.0</a>
<span class="sourceLineNo">011</span><a id="line.11"> *</a>
<span class="sourceLineNo">012</span><a id="line.12"> * Unless required by applicable law or agreed to in writing,</a>
<span class="sourceLineNo">013</span><a id="line.13"> * software distributed under the License is distributed on an</a>
<span class="sourceLineNo">014</span><a id="line.14"> * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY</a>
<span class="sourceLineNo">015</span><a id="line.15"> * KIND, either express or implied. See the License for the</a>
<span class="sourceLineNo">016</span><a id="line.16"> * specific language governing permissions and limitations</a>
<span class="sourceLineNo">017</span><a id="line.17"> * under the License.</a>
<span class="sourceLineNo">018</span><a id="line.18"> */</a>
<span class="sourceLineNo">019</span><a id="line.19">package org.apache.shiro.web.filter.authc;</a>
<span class="sourceLineNo">020</span><a id="line.20"></a>
<span class="sourceLineNo">021</span><a id="line.21">import org.apache.shiro.authc.AuthenticationException;</a>
<span class="sourceLineNo">022</span><a id="line.22">import org.apache.shiro.authc.AuthenticationToken;</a>
<span class="sourceLineNo">023</span><a id="line.23">import org.apache.shiro.authc.UsernamePasswordToken;</a>
<span class="sourceLineNo">024</span><a id="line.24">import org.apache.shiro.subject.Subject;</a>
<span class="sourceLineNo">025</span><a id="line.25">import org.apache.shiro.web.util.WebUtils;</a>
<span class="sourceLineNo">026</span><a id="line.26">import org.slf4j.Logger;</a>
<span class="sourceLineNo">027</span><a id="line.27">import org.slf4j.LoggerFactory;</a>
<span class="sourceLineNo">028</span><a id="line.28"></a>
<span class="sourceLineNo">029</span><a id="line.29">import javax.servlet.ServletRequest;</a>
<span class="sourceLineNo">030</span><a id="line.30">import javax.servlet.ServletResponse;</a>
<span class="sourceLineNo">031</span><a id="line.31">import javax.servlet.http.HttpServletRequest;</a>
<span class="sourceLineNo">032</span><a id="line.32"></a>
<span class="sourceLineNo">033</span><a id="line.33"></a>
<span class="sourceLineNo">034</span><a id="line.34">/**</a>
<span class="sourceLineNo">035</span><a id="line.35"> * Requires the requesting user to be authenticated for the request to continue, and if they are not, forces the user</a>
<span class="sourceLineNo">036</span><a id="line.36"> * to login via by redirecting them to the {@link #setLoginUrl(String) loginUrl} you configure.</a>
<span class="sourceLineNo">037</span><a id="line.37"> * &lt;p/&gt;</a>
<span class="sourceLineNo">038</span><a id="line.38"> * &lt;p&gt;This filter constructs a {@link UsernamePasswordToken UsernamePasswordToken} with the values found in</a>
<span class="sourceLineNo">039</span><a id="line.39"> * {@link #setUsernameParam(String) username}, {@link #setPasswordParam(String) password},</a>
<span class="sourceLineNo">040</span><a id="line.40"> * and {@link #setRememberMeParam(String) rememberMe} request parameters. It then calls</a>
<span class="sourceLineNo">041</span><a id="line.41"> * {@link org.apache.shiro.subject.Subject#login(org.apache.shiro.authc.AuthenticationToken) Subject.login(usernamePasswordToken)},</a>
<span class="sourceLineNo">042</span><a id="line.42"> * effectively automatically performing a login attempt. Note that the login attempt will only occur when the</a>
<span class="sourceLineNo">043</span><a id="line.43"> * {@link #isLoginSubmission(javax.servlet.ServletRequest, javax.servlet.ServletResponse) isLoginSubmission(request,response)}</a>
<span class="sourceLineNo">044</span><a id="line.44"> * is &lt;code&gt;true&lt;/code&gt;, which by default occurs when the request is for the {@link #setLoginUrl(String) loginUrl} and</a>
<span class="sourceLineNo">045</span><a id="line.45"> * is a POST request.</a>
<span class="sourceLineNo">046</span><a id="line.46"> * &lt;p/&gt;</a>
<span class="sourceLineNo">047</span><a id="line.47"> * &lt;p&gt;If the login attempt fails, the resulting &lt;code&gt;AuthenticationException&lt;/code&gt; fully qualified class name will</a>
<span class="sourceLineNo">048</span><a id="line.48"> * be set as a request attribute under the {@link #setFailureKeyAttribute(String) failureKeyAttribute} key. This</a>
<span class="sourceLineNo">049</span><a id="line.49"> * FQCN can be used as an i18n key or lookup mechanism to explain to the user why their login attempt failed</a>
<span class="sourceLineNo">050</span><a id="line.50"> * (e.g. no account, incorrect password, etc).</a>
<span class="sourceLineNo">051</span><a id="line.51"> * &lt;p/&gt;</a>
<span class="sourceLineNo">052</span><a id="line.52"> * &lt;p&gt;If you would prefer to handle the authentication validation and login in your own code, consider using the</a>
<span class="sourceLineNo">053</span><a id="line.53"> * {@link PassThruAuthenticationFilter} instead, which allows requests to the</a>
<span class="sourceLineNo">054</span><a id="line.54"> * {@link #loginUrl} to pass through to your application's code directly.</a>
<span class="sourceLineNo">055</span><a id="line.55"> *</a>
<span class="sourceLineNo">056</span><a id="line.56"> * @see PassThruAuthenticationFilter</a>
<span class="sourceLineNo">057</span><a id="line.57"> * @since 0.9</a>
<span class="sourceLineNo">058</span><a id="line.58"> */</a>
<span class="sourceLineNo">059</span><a id="line.59">public class FormAuthenticationFilter extends AuthenticatingFilter {</a>
<span class="sourceLineNo">060</span><a id="line.60"></a>
<span class="sourceLineNo">061</span><a id="line.61"> //TODO - complete JavaDoc</a>
<span class="sourceLineNo">062</span><a id="line.62"></a>
<span class="sourceLineNo">063</span><a id="line.63"> public static final String DEFAULT_ERROR_KEY_ATTRIBUTE_NAME = "shiroLoginFailure";</a>
<span class="sourceLineNo">064</span><a id="line.64"></a>
<span class="sourceLineNo">065</span><a id="line.65"> public static final String DEFAULT_USERNAME_PARAM = "username";</a>
<span class="sourceLineNo">066</span><a id="line.66"> public static final String DEFAULT_PASSWORD_PARAM = "password";</a>
<span class="sourceLineNo">067</span><a id="line.67"> public static final String DEFAULT_REMEMBER_ME_PARAM = "rememberMe";</a>
<span class="sourceLineNo">068</span><a id="line.68"></a>
<span class="sourceLineNo">069</span><a id="line.69"> private static final Logger log = LoggerFactory.getLogger(FormAuthenticationFilter.class);</a>
<span class="sourceLineNo">070</span><a id="line.70"></a>
<span class="sourceLineNo">071</span><a id="line.71"> private String usernameParam = DEFAULT_USERNAME_PARAM;</a>
<span class="sourceLineNo">072</span><a id="line.72"> private String passwordParam = DEFAULT_PASSWORD_PARAM;</a>
<span class="sourceLineNo">073</span><a id="line.73"> private String rememberMeParam = DEFAULT_REMEMBER_ME_PARAM;</a>
<span class="sourceLineNo">074</span><a id="line.74"></a>
<span class="sourceLineNo">075</span><a id="line.75"> private String failureKeyAttribute = DEFAULT_ERROR_KEY_ATTRIBUTE_NAME;</a>
<span class="sourceLineNo">076</span><a id="line.76"></a>
<span class="sourceLineNo">077</span><a id="line.77"> public FormAuthenticationFilter() {</a>
<span class="sourceLineNo">078</span><a id="line.78"> setLoginUrl(DEFAULT_LOGIN_URL);</a>
<span class="sourceLineNo">079</span><a id="line.79"> }</a>
<span class="sourceLineNo">080</span><a id="line.80"></a>
<span class="sourceLineNo">081</span><a id="line.81"> @Override</a>
<span class="sourceLineNo">082</span><a id="line.82"> public void setLoginUrl(String loginUrl) {</a>
<span class="sourceLineNo">083</span><a id="line.83"> String previous = getLoginUrl();</a>
<span class="sourceLineNo">084</span><a id="line.84"> if (previous != null) {</a>
<span class="sourceLineNo">085</span><a id="line.85"> this.appliedPaths.remove(previous);</a>
<span class="sourceLineNo">086</span><a id="line.86"> }</a>
<span class="sourceLineNo">087</span><a id="line.87"> super.setLoginUrl(loginUrl);</a>
<span class="sourceLineNo">088</span><a id="line.88"> if (log.isTraceEnabled()) {</a>
<span class="sourceLineNo">089</span><a id="line.89"> log.trace("Adding login url to applied paths.");</a>
<span class="sourceLineNo">090</span><a id="line.90"> }</a>
<span class="sourceLineNo">091</span><a id="line.91"> this.appliedPaths.put(getLoginUrl(), null);</a>
<span class="sourceLineNo">092</span><a id="line.92"> }</a>
<span class="sourceLineNo">093</span><a id="line.93"></a>
<span class="sourceLineNo">094</span><a id="line.94"> public String getUsernameParam() {</a>
<span class="sourceLineNo">095</span><a id="line.95"> return usernameParam;</a>
<span class="sourceLineNo">096</span><a id="line.96"> }</a>
<span class="sourceLineNo">097</span><a id="line.97"></a>
<span class="sourceLineNo">098</span><a id="line.98"> /**</a>
<span class="sourceLineNo">099</span><a id="line.99"> * Sets the request parameter name to look for when acquiring the username. Unless overridden by calling this</a>
<span class="sourceLineNo">100</span><a id="line.100"> * method, the default is &lt;code&gt;username&lt;/code&gt;.</a>
<span class="sourceLineNo">101</span><a id="line.101"> *</a>
<span class="sourceLineNo">102</span><a id="line.102"> * @param usernameParam the name of the request param to check for acquiring the username.</a>
<span class="sourceLineNo">103</span><a id="line.103"> */</a>
<span class="sourceLineNo">104</span><a id="line.104"> public void setUsernameParam(String usernameParam) {</a>
<span class="sourceLineNo">105</span><a id="line.105"> this.usernameParam = usernameParam;</a>
<span class="sourceLineNo">106</span><a id="line.106"> }</a>
<span class="sourceLineNo">107</span><a id="line.107"></a>
<span class="sourceLineNo">108</span><a id="line.108"> public String getPasswordParam() {</a>
<span class="sourceLineNo">109</span><a id="line.109"> return passwordParam;</a>
<span class="sourceLineNo">110</span><a id="line.110"> }</a>
<span class="sourceLineNo">111</span><a id="line.111"></a>
<span class="sourceLineNo">112</span><a id="line.112"> /**</a>
<span class="sourceLineNo">113</span><a id="line.113"> * Sets the request parameter name to look for when acquiring the password. Unless overridden by calling this</a>
<span class="sourceLineNo">114</span><a id="line.114"> * method, the default is &lt;code&gt;password&lt;/code&gt;.</a>
<span class="sourceLineNo">115</span><a id="line.115"> *</a>
<span class="sourceLineNo">116</span><a id="line.116"> * @param passwordParam the name of the request param to check for acquiring the password.</a>
<span class="sourceLineNo">117</span><a id="line.117"> */</a>
<span class="sourceLineNo">118</span><a id="line.118"> public void setPasswordParam(String passwordParam) {</a>
<span class="sourceLineNo">119</span><a id="line.119"> this.passwordParam = passwordParam;</a>
<span class="sourceLineNo">120</span><a id="line.120"> }</a>
<span class="sourceLineNo">121</span><a id="line.121"></a>
<span class="sourceLineNo">122</span><a id="line.122"> public String getRememberMeParam() {</a>
<span class="sourceLineNo">123</span><a id="line.123"> return rememberMeParam;</a>
<span class="sourceLineNo">124</span><a id="line.124"> }</a>
<span class="sourceLineNo">125</span><a id="line.125"></a>
<span class="sourceLineNo">126</span><a id="line.126"> /**</a>
<span class="sourceLineNo">127</span><a id="line.127"> * Sets the request parameter name to look for when acquiring the rememberMe boolean value. Unless overridden</a>
<span class="sourceLineNo">128</span><a id="line.128"> * by calling this method, the default is &lt;code&gt;rememberMe&lt;/code&gt;.</a>
<span class="sourceLineNo">129</span><a id="line.129"> * &lt;p/&gt;</a>
<span class="sourceLineNo">130</span><a id="line.130"> * RememberMe will be &lt;code&gt;true&lt;/code&gt; if the parameter value equals any of those supported by</a>
<span class="sourceLineNo">131</span><a id="line.131"> * {@link org.apache.shiro.web.util.WebUtils#isTrue(javax.servlet.ServletRequest, String) WebUtils.isTrue(request,value)}, &lt;code&gt;false&lt;/code&gt;</a>
<span class="sourceLineNo">132</span><a id="line.132"> * otherwise.</a>
<span class="sourceLineNo">133</span><a id="line.133"> *</a>
<span class="sourceLineNo">134</span><a id="line.134"> * @param rememberMeParam the name of the request param to check for acquiring the rememberMe boolean value.</a>
<span class="sourceLineNo">135</span><a id="line.135"> */</a>
<span class="sourceLineNo">136</span><a id="line.136"> public void setRememberMeParam(String rememberMeParam) {</a>
<span class="sourceLineNo">137</span><a id="line.137"> this.rememberMeParam = rememberMeParam;</a>
<span class="sourceLineNo">138</span><a id="line.138"> }</a>
<span class="sourceLineNo">139</span><a id="line.139"></a>
<span class="sourceLineNo">140</span><a id="line.140"> public String getFailureKeyAttribute() {</a>
<span class="sourceLineNo">141</span><a id="line.141"> return failureKeyAttribute;</a>
<span class="sourceLineNo">142</span><a id="line.142"> }</a>
<span class="sourceLineNo">143</span><a id="line.143"></a>
<span class="sourceLineNo">144</span><a id="line.144"> public void setFailureKeyAttribute(String failureKeyAttribute) {</a>
<span class="sourceLineNo">145</span><a id="line.145"> this.failureKeyAttribute = failureKeyAttribute;</a>
<span class="sourceLineNo">146</span><a id="line.146"> }</a>
<span class="sourceLineNo">147</span><a id="line.147"></a>
<span class="sourceLineNo">148</span><a id="line.148"> protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {</a>
<span class="sourceLineNo">149</span><a id="line.149"> if (isLoginRequest(request, response)) {</a>
<span class="sourceLineNo">150</span><a id="line.150"> if (isLoginSubmission(request, response)) {</a>
<span class="sourceLineNo">151</span><a id="line.151"> if (log.isTraceEnabled()) {</a>
<span class="sourceLineNo">152</span><a id="line.152"> log.trace("Login submission detected. Attempting to execute login.");</a>
<span class="sourceLineNo">153</span><a id="line.153"> }</a>
<span class="sourceLineNo">154</span><a id="line.154"> return executeLogin(request, response);</a>
<span class="sourceLineNo">155</span><a id="line.155"> } else {</a>
<span class="sourceLineNo">156</span><a id="line.156"> if (log.isTraceEnabled()) {</a>
<span class="sourceLineNo">157</span><a id="line.157"> log.trace("Login page view.");</a>
<span class="sourceLineNo">158</span><a id="line.158"> }</a>
<span class="sourceLineNo">159</span><a id="line.159"> //allow them to see the login page ;)</a>
<span class="sourceLineNo">160</span><a id="line.160"> return true;</a>
<span class="sourceLineNo">161</span><a id="line.161"> }</a>
<span class="sourceLineNo">162</span><a id="line.162"> } else {</a>
<span class="sourceLineNo">163</span><a id="line.163"> if (log.isTraceEnabled()) {</a>
<span class="sourceLineNo">164</span><a id="line.164"> log.trace("Attempting to access a path which requires authentication. Forwarding to the " +</a>
<span class="sourceLineNo">165</span><a id="line.165"> "Authentication url [" + getLoginUrl() + "]");</a>
<span class="sourceLineNo">166</span><a id="line.166"> }</a>
<span class="sourceLineNo">167</span><a id="line.167"></a>
<span class="sourceLineNo">168</span><a id="line.168"> saveRequestAndRedirectToLogin(request, response);</a>
<span class="sourceLineNo">169</span><a id="line.169"> return false;</a>
<span class="sourceLineNo">170</span><a id="line.170"> }</a>
<span class="sourceLineNo">171</span><a id="line.171"> }</a>
<span class="sourceLineNo">172</span><a id="line.172"></a>
<span class="sourceLineNo">173</span><a id="line.173"> /**</a>
<span class="sourceLineNo">174</span><a id="line.174"> * This default implementation merely returns &lt;code&gt;true&lt;/code&gt; if the request is an HTTP &lt;code&gt;POST&lt;/code&gt;,</a>
<span class="sourceLineNo">175</span><a id="line.175"> * &lt;code&gt;false&lt;/code&gt; otherwise. Can be overridden by subclasses for custom login submission detection behavior.</a>
<span class="sourceLineNo">176</span><a id="line.176"> *</a>
<span class="sourceLineNo">177</span><a id="line.177"> * @param request the incoming ServletRequest</a>
<span class="sourceLineNo">178</span><a id="line.178"> * @param response the outgoing ServletResponse.</a>
<span class="sourceLineNo">179</span><a id="line.179"> * @return &lt;code&gt;true&lt;/code&gt; if the request is an HTTP &lt;code&gt;POST&lt;/code&gt;, &lt;code&gt;false&lt;/code&gt; otherwise.</a>
<span class="sourceLineNo">180</span><a id="line.180"> */</a>
<span class="sourceLineNo">181</span><a id="line.181"> @SuppressWarnings({"UnusedDeclaration"})</a>
<span class="sourceLineNo">182</span><a id="line.182"> protected boolean isLoginSubmission(ServletRequest request, ServletResponse response) {</a>
<span class="sourceLineNo">183</span><a id="line.183"> return (request instanceof HttpServletRequest) &amp;&amp; WebUtils.toHttp(request).getMethod().equalsIgnoreCase(POST_METHOD);</a>
<span class="sourceLineNo">184</span><a id="line.184"> }</a>
<span class="sourceLineNo">185</span><a id="line.185"></a>
<span class="sourceLineNo">186</span><a id="line.186"> protected AuthenticationToken createToken(ServletRequest request, ServletResponse response) {</a>
<span class="sourceLineNo">187</span><a id="line.187"> String username = getUsername(request);</a>
<span class="sourceLineNo">188</span><a id="line.188"> String password = getPassword(request);</a>
<span class="sourceLineNo">189</span><a id="line.189"> return createToken(username, password, request, response);</a>
<span class="sourceLineNo">190</span><a id="line.190"> }</a>
<span class="sourceLineNo">191</span><a id="line.191"></a>
<span class="sourceLineNo">192</span><a id="line.192"> protected boolean isRememberMe(ServletRequest request) {</a>
<span class="sourceLineNo">193</span><a id="line.193"> return WebUtils.isTrue(request, getRememberMeParam());</a>
<span class="sourceLineNo">194</span><a id="line.194"> }</a>
<span class="sourceLineNo">195</span><a id="line.195"></a>
<span class="sourceLineNo">196</span><a id="line.196"> protected boolean onLoginSuccess(AuthenticationToken token, Subject subject,</a>
<span class="sourceLineNo">197</span><a id="line.197"> ServletRequest request, ServletResponse response) throws Exception {</a>
<span class="sourceLineNo">198</span><a id="line.198"> issueSuccessRedirect(request, response);</a>
<span class="sourceLineNo">199</span><a id="line.199"> //we handled the success redirect directly, prevent the chain from continuing:</a>
<span class="sourceLineNo">200</span><a id="line.200"> return false;</a>
<span class="sourceLineNo">201</span><a id="line.201"> }</a>
<span class="sourceLineNo">202</span><a id="line.202"></a>
<span class="sourceLineNo">203</span><a id="line.203"> protected boolean onLoginFailure(AuthenticationToken token, AuthenticationException e,</a>
<span class="sourceLineNo">204</span><a id="line.204"> ServletRequest request, ServletResponse response) {</a>
<span class="sourceLineNo">205</span><a id="line.205"> if (log.isDebugEnabled()) {</a>
<span class="sourceLineNo">206</span><a id="line.206"> log.debug( "Authentication exception", e );</a>
<span class="sourceLineNo">207</span><a id="line.207"> }</a>
<span class="sourceLineNo">208</span><a id="line.208"> setFailureAttribute(request, e);</a>
<span class="sourceLineNo">209</span><a id="line.209"> //login failed, let request continue back to the login page:</a>
<span class="sourceLineNo">210</span><a id="line.210"> return true;</a>
<span class="sourceLineNo">211</span><a id="line.211"> }</a>
<span class="sourceLineNo">212</span><a id="line.212"></a>
<span class="sourceLineNo">213</span><a id="line.213"> protected void setFailureAttribute(ServletRequest request, AuthenticationException ae) {</a>
<span class="sourceLineNo">214</span><a id="line.214"> String className = ae.getClass().getName();</a>
<span class="sourceLineNo">215</span><a id="line.215"> request.setAttribute(getFailureKeyAttribute(), className);</a>
<span class="sourceLineNo">216</span><a id="line.216"> }</a>
<span class="sourceLineNo">217</span><a id="line.217"></a>
<span class="sourceLineNo">218</span><a id="line.218"> protected String getUsername(ServletRequest request) {</a>
<span class="sourceLineNo">219</span><a id="line.219"> return WebUtils.getCleanParam(request, getUsernameParam());</a>
<span class="sourceLineNo">220</span><a id="line.220"> }</a>
<span class="sourceLineNo">221</span><a id="line.221"></a>
<span class="sourceLineNo">222</span><a id="line.222"> protected String getPassword(ServletRequest request) {</a>
<span class="sourceLineNo">223</span><a id="line.223"> return WebUtils.getCleanParam(request, getPasswordParam(), false);</a>
<span class="sourceLineNo">224</span><a id="line.224"> }</a>
<span class="sourceLineNo">225</span><a id="line.225"></a>
<span class="sourceLineNo">226</span><a id="line.226"></a>
<span class="sourceLineNo">227</span><a id="line.227">}</a>
</pre>
</div>
</main>
</body>
</html>