Package org.apache.shiro.web.filter.authc

Class FormAuthenticationFilter

  • All Implemented Interfaces:
    javax.servlet.Filter, org.apache.shiro.util.Nameable, PathConfigProcessor
    public class FormAuthenticationFilter
extends AuthenticatingFilter
    Requires the requesting user to be authenticated for the request to continue, and if they are not, forces the user to login via by redirecting them to the loginUrl you configure.

    This filter constructs a UsernamePasswordToken with the values found in username, password, and rememberMe request parameters. It then calls Subject.login(usernamePasswordToken), effectively automatically performing a login attempt. Note that the login attempt will only occur when the isLoginSubmission(request,response) is true, which by default occurs when the request is for the loginUrl and is a POST request.

    If the login attempt fails, the resulting AuthenticationException fully qualified class name will be set as a request attribute under the failureKeyAttribute key. This FQCN can be used as an i18n key or lookup mechanism to explain to the user why their login attempt failed (e.g. no account, incorrect password, etc).

    If you would prefer to handle the authentication validation and login in your own code, consider using the PassThruAuthenticationFilter instead, which allows requests to the AccessControlFilter.loginUrl to pass through to your application's code directly.

    Since:
    0.9
    See Also:
    PassThruAuthenticationFilter

    • Constructor Detail

      • FormAuthenticationFilter

        public FormAuthenticationFilter()

    • Method Detail

      • setLoginUrl

        public void setLoginUrl​(String loginUrl)
        Description copied from class: AccessControlFilter
        Sets the login URL used to authenticate a user.

        Most Shiro filters use this url as the location to redirect a user when the filter requires authentication. Unless overridden, the DEFAULT_LOGIN_URL is assumed.

        Overrides:
        setLoginUrl in class AccessControlFilter
        Parameters:
        loginUrl - the login URL used to authenticate a user, used when redirecting users if authentication is required.

      • getUsernameParam

        public String getUsernameParam()

      • setUsernameParam

        public void setUsernameParam​(String usernameParam)
        Sets the request parameter name to look for when acquiring the username. Unless overridden by calling this method, the default is username.
        Parameters:
        usernameParam - the name of the request param to check for acquiring the username.

      • getPasswordParam

        public String getPasswordParam()

      • setPasswordParam

        public void setPasswordParam​(String passwordParam)
        Sets the request parameter name to look for when acquiring the password. Unless overridden by calling this method, the default is password.
        Parameters:
        passwordParam - the name of the request param to check for acquiring the password.

      • getRememberMeParam

        public String getRememberMeParam()

      • setRememberMeParam

        public void setRememberMeParam​(String rememberMeParam)
        Sets the request parameter name to look for when acquiring the rememberMe boolean value. Unless overridden by calling this method, the default is rememberMe.

        RememberMe will be true if the parameter value equals any of those supported by WebUtils.isTrue(request,value), false otherwise.

        Parameters:
        rememberMeParam - the name of the request param to check for acquiring the rememberMe boolean value.

      • getFailureKeyAttribute

        public String getFailureKeyAttribute()

      • setFailureKeyAttribute

        public void setFailureKeyAttribute​(String failureKeyAttribute)

      • onAccessDenied

        protected boolean onAccessDenied​(javax.servlet.ServletRequest request,
                                 javax.servlet.ServletResponse response)
                          throws Exception
        Description copied from class: AccessControlFilter
        Processes requests where the subject was denied access as determined by the isAccessAllowed method.
        Specified by:
        onAccessDenied in class AccessControlFilter
        Parameters:
        request - the incoming ServletRequest
        response - the outgoing ServletResponse
        Returns:
        true if the request should continue to be processed; false if the subclass will handle/render the response directly.
        Throws:
        Exception - if there is an error processing the request.

      • isLoginSubmission

        protected boolean isLoginSubmission​(javax.servlet.ServletRequest request,
                                    javax.servlet.ServletResponse response)
        This default implementation merely returns true if the request is an HTTP POST, false otherwise. Can be overridden by subclasses for custom login submission detection behavior.
        Parameters:
        request - the incoming ServletRequest
        response - the outgoing ServletResponse.
        Returns:
        true if the request is an HTTP POST, false otherwise.

      • createToken

        protected org.apache.shiro.authc.AuthenticationToken createToken​(javax.servlet.ServletRequest request,
                                                                 javax.servlet.ServletResponse response)
        Specified by:
        createToken in class AuthenticatingFilter

      • isRememberMe

        protected boolean isRememberMe​(javax.servlet.ServletRequest request)
        Description copied from class: AuthenticatingFilter
        Returns true if "rememberMe" should be enabled for the login attempt associated with the current request, false otherwise.

        This implementation always returns false and is provided as a template hook to subclasses that support rememberMe logins and wish to determine rememberMe in a custom mannner based on the current request.

        Overrides:
        isRememberMe in class AuthenticatingFilter
        Parameters:
        request - the incoming ServletRequest
        Returns:
        true if "rememberMe" should be enabled for the login attempt associated with the current request, false otherwise.

      • onLoginSuccess

        protected boolean onLoginSuccess​(org.apache.shiro.authc.AuthenticationToken token,
                                 org.apache.shiro.subject.Subject subject,
                                 javax.servlet.ServletRequest request,
                                 javax.servlet.ServletResponse response)
                          throws Exception
        Overrides:
        onLoginSuccess in class AuthenticatingFilter
        Throws:
        Exception

      • onLoginFailure

        protected boolean onLoginFailure​(org.apache.shiro.authc.AuthenticationToken token,
                                 org.apache.shiro.authc.AuthenticationException e,
                                 javax.servlet.ServletRequest request,
                                 javax.servlet.ServletResponse response)
        Overrides:
        onLoginFailure in class AuthenticatingFilter

      • setFailureAttribute

        protected void setFailureAttribute​(javax.servlet.ServletRequest request,
                                   org.apache.shiro.authc.AuthenticationException ae)

      • getUsername

        protected String getUsername​(javax.servlet.ServletRequest request)

      • getPassword

        protected String getPassword​(javax.servlet.ServletRequest request)