You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@shiro.apache.org by lh...@apache.org on 2011/08/05 22:21:09 UTC
svn commit: r1154370 - /shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java

Author: lhazlewood
Date: Fri Aug  5 20:21:09 2011
New Revision: 1154370

URL: http://svn.apache.org/viewvc?rev=1154370&view=rev
Log:
SHIRO-319: applied check for request.isSecure()

Modified:
    shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java

Modified: shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java
URL: http://svn.apache.org/viewvc/shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java?rev=1154370&r1=1154369&r2=1154370&view=diff
==============================================================================
--- shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java (original)
+++ shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java Fri Aug  5 20:21:09 2011
@@ -18,8 +18,14 @@
  */
 package org.apache.shiro.web.filter.authz;
 
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+
 /**
- * Filter which requires a request to be over SSL.
+ * Filter which requires a request to be over SSL.  Access is allowed if the request is received on the configured
+ * server {@link #setPort(int) port} <em>and</em> the
+ * {@code request.}{@link javax.servlet.ServletRequest#isSecure() isSecure()}.  If either condition is {@code false},
+ * the filter chain will not continue.
  * <p/>
  * The {@link #getPort() port} property defaults to {@code 443} and also additionally guarantees that the
  * request scheme is always 'https' (except for port 80, which retains the 'http' scheme).
@@ -49,4 +55,22 @@ public class SslFilter extends PortFilte
             return HTTPS_SCHEME;
         }
     }
+
+    /**
+     * Retains the parent method's port-matching behavior but additionally guarantees that the
+     *{@code ServletRequest.}{@link javax.servlet.ServletRequest#isSecure() isSecure()}.  If the port does not match or
+     * the request is not secure, access is denied.
+     *
+     * @param request     the incoming {@code ServletRequest}
+     * @param response    the outgoing {@code ServletResponse} - ignored in this implementation
+     * @param mappedValue the filter-specific config value mapped to this filter in the URL rules mappings - ignored by this implementation.
+     * @return {@code true} if the request is received on an expected SSL port and the
+     * {@code request.}{@link javax.servlet.ServletRequest#isSecure() isSecure()}, {@code false} otherwise.
+     * @throws Exception if the call to {@code super.isAccessAllowed} throws an exception.
+     * @since 1.2
+     */
+    @Override
+    protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
+        return super.isAccessAllowed(request, response, mappedValue) && request.isSecure();
+    }
 }