org.jsecurity.web.servlet
Class JSecurityFilter
java.lang.Object
org.jsecurity.web.servlet.ServletContextSupport
org.jsecurity.web.servlet.OncePerRequestFilter
org.jsecurity.web.servlet.JSecurityFilter
- All Implemented Interfaces:
- Filter, Nameable
- Direct Known Subclasses:
- SpringJSecurityFilter
public class JSecurityFilter
- extends OncePerRequestFilter
Main ServletFilter that configures and enables all JSecurity functions within a web application.
The following is a fully commented example that documents how to configure it:
<filter>
<filter-name>JSecurityFilter</filter-name>
<filter-class>org.jsecurity.web.servlet.JSecurityFilter</filter-class>
<init-param><param-name>config</param-name><param-value>
#NOTE: This config looks pretty long - but its not - its only 5 lines of actual config.
# Everything else is just heavily commented to explain things in-depth. Feel free to delete any
# comments that you don't want to read from your own configuration ;)
#
# Any commented values below are JSecurity's defaults. If you want to change any values, you only
# need to uncomment the lines you want to change.
[main]
# The 'main' section defines JSecurity-wide configuration.
#
# Session Mode: By default, JSecurity's Session infrastructure in a web environment will use the
# Servlet container's HttpSession. However, if you need to share session state across client types
# (e.g. Web MVC plus Java Web Start or Flash), or are doing distributed/shared Sessions for
# Single Sign On, HttpSessions aren't good enough. You'll need to use JSecurity's more powerful
# (and client-agnostic) session management. You can enable this by uncommenting the following line
# and changing 'http' to 'jsecurity'
#
#securityManager = org.jsecurity.web.DefaultWebSecurityManager
#securityManager.sessionMode = http
[filters]
# This section defines the 'pool' of all Filters available to the url path definitions in the [urls] section below.
#
# The following commented values are already provided by JSecurity by default and are immediately usable
# in the [urls] definitions below. If you like, you may override any values by uncommenting only the lines
# you need to change.
#
# Each Filter is configured based on its functionality and/or protocol. You should read each
# Filter's JavaDoc to fully understand what each does and how it works as well as how it would
# affect the user experience.
#
# Form-based Authentication filter:
#authc = FormAuthenticationFilter
#authc.loginUrl = /login.jsp
#authc.usernameParam = username
#authc.passwordParam = password
#authc.rememberMeParam = rememberMe
#authc.successUrl = /login.jsp
#authc.failureKeyAttribute = FormAuthenticationFilter.DEFAULT_ERROR_KEY_ATTRIBUTE_NAME
#
# Http BASIC Authentication filter:
#authcBasic = BasicHttpAuthenticationFilter
#authcBasic.applicationName = application
#
# Roles filter: requires the requesting user to have one or more roles for the request to continue.
# If they do not have the specified roles, they are redirected to the specified URL.
#roles = RolesAuthorizationFilter
#roles.unauthorizedUrl =
# (note the above url is null by default, which will cause an HTTP 403 (Access Denied) response instead
# of redirecting to a page. If you want to show a 'nice page' instead, you should specify that url.
#
# Permissions filter: requires the requesting user to have one or more permissions for the request to
# continue, and if they do not, redirects them to the specified URL.
#perms = PermissionsAuthorizationFilter
#perms.unauthorizedUrl =
# (note the above url is null by default, which will cause an HTTP 403 (Access Denied) response instead
# of redirecting to a page. If you want to show a 'nice page' instead, you should specify that url. Many
# applications like to use the same url specified in roles.unauthorizedUrl above.
#
#
# Define your own filters here. To properly handle url path matching (see the [urls] section below), your
# filter should extend the PathMatchingFilter abstract class.
[urls]
# This section defines url path mappings. Each mapping entry must be on a single line and conform to the
# following representation:
#
# ant_path_expression = path_specific_filter_chain_definition
#
# For any request that matches a specified path, the corresponding value defines a comma-delimited chain of
# filters to execute for that request.
#
# This is incredibly powerful in that you can define arbitrary filter chains for any given request pattern
# to greatly customize the security experience.
#
# The path_specific_filter_chain_definition must match the following format:
#
# filter1[optional_config1], filter2[optional_config2], ..., filterN[optional_configN]
#
# where 'filterN' is the name of an filter defined above in the [filters] section and
# '[optional_configN]' is an optional bracketed string that has meaning for that particular filter for
# _that particular path_. If the filter does not need specific config for that url path, you may
# discard the brackets - that is, filterN[] just becomes filterN.
#
# And because filter tokens define chains, order matters! Define the tokens for each path pattern
# in the order you want them to filter (comma-delimited).
#
# Finally, each filter is free to handle the response however it wants if its necessary
# conditions are not met (redirect, HTTP error code, direct rendering, etc). Otherwise, it is expected to allow
# the request to continue through the chain on to the final destination view.
#
# Examples:
#
# To illustrate chain configuration, look at the /account/** mapping below. This says
# "apply the above 'authcBasic' filter to any request matching the '/account/**' pattern". Since the
# 'authcBasic' filter does not need any path-specific config, it doesn't have any config brackets [].
#
# The /remoting/** definition on the other hand uses the 'roles' and 'perms' filters which do use
# bracket notation. That definition says:
#
# "To access /remoting/** urls, ensure that the user is first authenticated ('authcBasic'), then ensure that user
# has the 'b2bClient' role, and then finally ensure that they have the 'remote:invoke:lan,wan' permission."
#
# (Note that because elements within brackets [ ] are comma-delimited themselves, we needed to escape the permission
# actions of 'lan,wan' with quotes. If we didn't do that, the permission filter would interpret
# the text between the brackets as two permissions: 'remote:invoke:lan' and 'wan' instead of the
# single desired 'remote:invoke:lan,wan' token. So, you can use quotes wherever you need to escape internal
# commas.)
/account/** = authcBasic
/remoting/** = authcBasic, roles[b2bClient], perms[remote:invoke:"lan,wan"]
</param-value></init-param>
</filter>
<filter-mapping>
<filter-name>JSecurityFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
- Since:
- 0.1
- Author:
- Les Hazlewood, Jeremy Haile
| Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
SECURITY_MANAGER_CONTEXT_KEY
public static final String SECURITY_MANAGER_CONTEXT_KEY
CONFIG_CLASS_NAME_INIT_PARAM_NAME
public static final String CONFIG_CLASS_NAME_INIT_PARAM_NAME
- See Also:
- Constant Field Values
CONFIG_INIT_PARAM_NAME
public static final String CONFIG_INIT_PARAM_NAME
- See Also:
- Constant Field Values
CONFIG_URL_INIT_PARAM_NAME
public static final String CONFIG_URL_INIT_PARAM_NAME
- See Also:
- Constant Field Values
config
protected String config
configUrl
protected String configUrl
configClassName
protected String configClassName
configuration
protected WebConfiguration configuration
securityManager
protected SecurityManager securityManager
JSecurityFilter
public JSecurityFilter()
getConfiguration
public WebConfiguration getConfiguration()
setConfiguration
public void setConfiguration(WebConfiguration configuration)
getSecurityManager
public SecurityManager getSecurityManager()
setSecurityManager
protected void setSecurityManager(SecurityManager sm)
onFilterConfigSet
protected void onFilterConfigSet()
throws Exception
- Description copied from class:
OncePerRequestFilter
- Template method to be overridden by subclasses to perform initialization logic at startup. The
ServletContext and FilterConfig will be accessible
(and non-null) at the time this method is invoked via the
getServletContext() and getFilterConfig()
methods respectively.
- Overrides:
onFilterConfigSet in class OncePerRequestFilter
- Throws:
Exception - if the subclass has an error upon initialization.
ensureSecurityManager
protected SecurityManager ensureSecurityManager(Configuration config)
- Retrieves the security manager for the given configuration.
- Parameters:
config - the configuration for this filter.
- Returns:
- the security manager that this filter should use.
applyInitParams
protected void applyInitParams()
configure
protected WebConfiguration configure()
applyFilterConfig
protected void applyFilterConfig(WebConfiguration conf)
applyEmbeddedConfig
protected void applyEmbeddedConfig(WebConfiguration conf)
applyUrlConfig
protected void applyUrlConfig(WebConfiguration conf)
isHttpSessions
protected boolean isHttpSessions()
getInetAddress
protected InetAddress getInetAddress(ServletRequest request)
doFilterInternal
protected void doFilterInternal(ServletRequest servletRequest,
ServletResponse servletResponse,
FilterChain origChain)
throws ServletException,
IOException
- Description copied from class:
OncePerRequestFilter
- Same contract as for
doFilter, but guaranteed to be
just invoked once per request. Provides HttpServletRequest and
HttpServletResponse arguments instead of the default ServletRequest
and ServletResponse ones.
- Specified by:
doFilterInternal in class OncePerRequestFilter
- Throws:
ServletException
IOException
destroy
public void destroy()
- Description copied from class:
OncePerRequestFilter
- Default no-op implementation that can be overridden by subclasses for custom cleanup behavior.
- Specified by:
destroy in interface Filter- Overrides:
destroy in class OncePerRequestFilter
Copyright © 2004-2008 JSecurity.