public class SslFilter extends PortFilter
port and the
request.isSecure(). If either condition is false,
the filter chain will not continue.
The port property defaults to 443 and also additionally guarantees that the
request scheme is always 'https' (except for port 80, which retains the 'http' scheme).
In addition the filter allows enabling HTTP Strict Transport Security (HSTS).
This feature is opt-in and disabled by default. If enabled HSTS
will prevent any communications from being sent over HTTP to the
specified domain and will instead send all communications over HTTPS.
The maxAge property defaults 31536000, and
includeSubDomains is false.
Warning: Use this setting with care and only if you plan to enable
SSL on every path.
Example configs:
[urls] /secure/path/** = sslwith HSTS enabled
[main] ssl.hsts.enabled = true [urls] /** = ssl
| Modifier and Type | Class and Description |
|---|---|
class |
SslFilter.HSTS
Helper class for HTTP Strict Transport Security (HSTS)
|
| Modifier and Type | Field and Description |
|---|---|
static int |
DEFAULT_HTTPS_PORT |
static String |
HTTPS_SCHEME |
DEFAULT_HTTP_PORT, HTTP_SCHEMEDEFAULT_LOGIN_URL, GET_METHOD, POST_METHODappliedPaths, pathMatcherALREADY_FILTERED_SUFFIXfilterConfig| Constructor and Description |
|---|
SslFilter() |
| Modifier and Type | Method and Description |
|---|---|
SslFilter.HSTS |
getHsts() |
protected String |
getScheme(String requestScheme,
int port) |
protected boolean |
isAccessAllowed(javax.servlet.ServletRequest request,
javax.servlet.ServletResponse response,
Object mappedValue)
Retains the parent method's port-matching behavior but additionally guarantees that the
ServletRequest.isSecure(). |
protected void |
postHandle(javax.servlet.ServletRequest request,
javax.servlet.ServletResponse response)
If HTTP Strict Transport Security (HSTS) is enabled the HTTP header
will be written, otherwise this method does nothing.
|
void |
setHsts(SslFilter.HSTS hsts) |
getPort, onAccessDenied, setPort, toPortgetUnauthorizedUrl, onAccessDenied, setUnauthorizedUrlgetLoginUrl, getSubject, isLoginRequest, onPreHandle, redirectToLogin, saveRequest, saveRequestAndRedirectToLogin, setLoginUrlgetPathWithinApplication, isEnabled, pathsMatch, pathsMatch, preHandle, processPathConfigafterCompletion, cleanup, doFilterInternal, executeChaindoFilter, getAlreadyFilteredAttributeName, isEnabled, isEnabled, isFilterOncePerRequest, setEnabled, setFilterOncePerRequest, shouldNotFiltergetName, setName, toStringBuilderdestroy, getFilterConfig, getInitParam, init, onFilterConfigSet, setFilterConfiggetContextAttribute, getContextInitParam, getServletContext, removeContextAttribute, setContextAttribute, setServletContext, toStringpublic static final int DEFAULT_HTTPS_PORT
public static final String HTTPS_SCHEME
public SslFilter.HSTS getHsts()
public void setHsts(SslFilter.HSTS hsts)
protected String getScheme(String requestScheme, int port)
getScheme in class PortFilterprotected boolean isAccessAllowed(javax.servlet.ServletRequest request,
javax.servlet.ServletResponse response,
Object mappedValue)
throws Exception
ServletRequest.isSecure(). If the port does not match or
the request is not secure, access is denied.isAccessAllowed in class PortFilterrequest - the incoming ServletRequestresponse - the outgoing ServletResponse - ignored in this implementationmappedValue - the filter-specific config value mapped to this filter in the URL rules mappings - ignored by this implementation.true if the request is received on an expected SSL port and the
request.isSecure(), false otherwise.Exception - if the call to super.isAccessAllowed throws an exception.protected void postHandle(javax.servlet.ServletRequest request,
javax.servlet.ServletResponse response)
postHandle in class AdviceFilterrequest - the incoming ServletRequestresponse - the outgoing ServletResponseCopyright © 2004–2023 The Apache Software Foundation. All rights reserved.