svn commit: r1154370 - /shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java

Fri, 05 Aug 2011 13:21:33 -0700 

Author: lhazlewood
Date: Fri Aug  5 20:21:09 2011
New Revision: 1154370

URL: http://svn.apache.org/viewvc?rev=1154370&view=rev
Log:
SHIRO-319: applied check for request.isSecure()

Modified:
    
shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java

Modified: 
shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java
URL: 
http://svn.apache.org/viewvc/shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java?rev=1154370&r1=1154369&r2=1154370&view=diff
==============================================================================
--- 
shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java 
(original)
+++ 
shiro/trunk/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java 
Fri Aug  5 20:21:09 2011
@@ -18,8 +18,14 @@
  */
 package org.apache.shiro.web.filter.authz;
 
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+
 /**
- * Filter which requires a request to be over SSL.
+ * Filter which requires a request to be over SSL.  Access is allowed if the 
request is received on the configured
+ * server {@link #setPort(int) port} <em>and</em> the
+ * {@code request.}{@link javax.servlet.ServletRequest#isSecure() isSecure()}. 
 If either condition is {@code false},
+ * the filter chain will not continue.
  * <p/>
  * The {@link #getPort() port} property defaults to {@code 443} and also 
additionally guarantees that the
  * request scheme is always 'https' (except for port 80, which retains the 
'http' scheme).
@@ -49,4 +55,22 @@ public class SslFilter extends PortFilte
             return HTTPS_SCHEME;
         }
     }
+
+    /**
+     * Retains the parent method's port-matching behavior but additionally 
guarantees that the
+     *{@code ServletRequest.}{@link javax.servlet.ServletRequest#isSecure() 
isSecure()}.  If the port does not match or
+     * the request is not secure, access is denied.
+     *
+     * @param request     the incoming {@code ServletRequest}
+     * @param response    the outgoing {@code ServletResponse} - ignored in 
this implementation
+     * @param mappedValue the filter-specific config value mapped to this 
filter in the URL rules mappings - ignored by this implementation.
+     * @return {@code true} if the request is received on an expected SSL port 
and the
+     * {@code request.}{@link javax.servlet.ServletRequest#isSecure() 
isSecure()}, {@code false} otherwise.
+     * @throws Exception if the call to {@code super.isAccessAllowed} throws 
an exception.
+     * @since 1.2
+     */
+    @Override
+    protected boolean isAccessAllowed(ServletRequest request, ServletResponse 
response, Object mappedValue) throws Exception {
+        return super.isAccessAllowed(request, response, mappedValue) && 
request.isSecure();
+    }
 }

Reply via email to