Package org.apache.shiro.web.filter.authz

Class SslFilter

  • All Implemented Interfaces:
    javax.servlet.Filter, org.apache.shiro.util.Nameable, PathConfigProcessor
    public class SslFilter
extends PortFilter
    Filter which requires a request to be over SSL. Access is allowed if the request is received on the configured server port and the request.isSecure(). If either condition is false, the filter chain will not continue.

    The port property defaults to 443 and also additionally guarantees that the request scheme is always 'https' (except for port 80, which retains the 'http' scheme).

    Example config: 

     [urls]
 /secure/path/** = ssl
    Since:
    1.0

    • Constructor Detail

      • SslFilter

        public SslFilter()

    • Method Detail

      • isAccessAllowed

        protected boolean isAccessAllowed​(javax.servlet.ServletRequest request,
                                  javax.servlet.ServletResponse response,
                                  Object mappedValue)
                           throws Exception
        Retains the parent method's port-matching behavior but additionally guarantees that the ServletRequest.isSecure(). If the port does not match or the request is not secure, access is denied.
        Overrides:
        isAccessAllowed in class PortFilter
        Parameters:
        request - the incoming ServletRequest
        response - the outgoing ServletResponse - ignored in this implementation
        mappedValue - the filter-specific config value mapped to this filter in the URL rules mappings - ignored by this implementation.
        Returns:
        true if the request is received on an expected SSL port and the request.isSecure(), false otherwise.
        Throws:
        Exception - if the call to super.isAccessAllowed throws an exception.
        Since:
        1.2