You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@shiro.apache.org by lh...@apache.org on 2011/08/05 22:21:09 UTC
svn commit: r1154370 -
/shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java
Author: lhazlewood
Date: Fri Aug 5 20:21:09 2011
New Revision: 1154370
URL: http://svn.apache.org/viewvc?rev=1154370&view=rev
Log:
SHIRO-319: applied check for request.isSecure()
Modified:
shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java
Modified: shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java
URL: http://svn.apache.org/viewvc/shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java?rev=1154370&r1=1154369&r2=1154370&view=diff
==============================================================================
--- shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java (original)
+++ shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java Fri Aug 5 20:21:09 2011
@@ -18,8 +18,14 @@
*/
package org.apache.shiro.web.filter.authz;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+
/**
- * Filter which requires a request to be over SSL.
+ * Filter which requires a request to be over SSL. Access is allowed if the request is received on the configured
+ * server {@link #setPort(int) port} <em>and</em> the
+ * {@code request.}{@link javax.servlet.ServletRequest#isSecure() isSecure()}. If either condition is {@code false},
+ * the filter chain will not continue.
* <p/>
* The {@link #getPort() port} property defaults to {@code 443} and also additionally guarantees that the
* request scheme is always 'https' (except for port 80, which retains the 'http' scheme).
@@ -49,4 +55,22 @@ public class SslFilter extends PortFilte
return HTTPS_SCHEME;
}
}
+
+ /**
+ * Retains the parent method's port-matching behavior but additionally guarantees that the
+ *{@code ServletRequest.}{@link javax.servlet.ServletRequest#isSecure() isSecure()}. If the port does not match or
+ * the request is not secure, access is denied.
+ *
+ * @param request the incoming {@code ServletRequest}
+ * @param response the outgoing {@code ServletResponse} - ignored in this implementation
+ * @param mappedValue the filter-specific config value mapped to this filter in the URL rules mappings - ignored by this implementation.
+ * @return {@code true} if the request is received on an expected SSL port and the
+ * {@code request.}{@link javax.servlet.ServletRequest#isSecure() isSecure()}, {@code false} otherwise.
+ * @throws Exception if the call to {@code super.isAccessAllowed} throws an exception.
+ * @since 1.2
+ */
+ @Override
+ protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
+ return super.isAccessAllowed(request, response, mappedValue) && request.isSecure();
+ }
}