Allow for direct configuration of ShiroFilter through WebEnvironment

Adds new ShiroFilterConfiguration class exposed through the WebEnvironment
This class allows for confiuration of the Shiro filter through various config mechanisms (Ini, Guice, Spring, etc)
This makes it easer to enable a static security manager when using Shiro's Servlet fragment, as now a web.xml is not required

Author: bdemers

pom.xml

@@ -419,6 +419,7 @@
                             <onlyModified>true</onlyModified>
                             <breakBuildOnBinaryIncompatibleModifications>true</breakBuildOnBinaryIncompatibleModifications>
                             <breakBuildBasedOnSemanticVersioning>true</breakBuildBasedOnSemanticVersioning>
+                            <postAnalysisScript>${root.dir}/src/japicmp/postAnalysisScript.groovy</postAnalysisScript>
                         </parameter>
                     </configuration>
                 </plugin>

samples/servlet-plugin/pom.xml

@@ -106,13 +106,8 @@
             <scope>runtime</scope>
         </dependency>
         <dependency>
-            <groupId>org.apache.logging.log4j</groupId>
-            <artifactId>log4j-slf4j-impl</artifactId>
-            <scope>runtime</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.logging.log4j</groupId>
-            <artifactId>log4j-core</artifactId>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-simple</artifactId>
             <scope>runtime</scope>
         </dependency>
         <dependency>

src/japicmp/postAnalysisScript.groovy

@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import static japicmp.model.JApiCompatibilityChange.*
+import static japicmp.model.JApiChangeStatus.*
+
+def it = jApiClasses.iterator()
+while (it.hasNext()) {
+    def jApiClass = it.next()
+    // filter out interfaces changes that are default methods
+    if (jApiClass.getChangeStatus() != UNCHANGED) {
+        def methodIt = jApiClass.getMethods().iterator()
+        while (methodIt.hasNext()) {
+            def method = methodIt.next()
+            def methodChanges = method.getCompatibilityChanges()
+            methodChanges.remove(METHOD_NEW_DEFAULT)
+        }
+    }
+}
+return jApiClasses

support/guice/src/main/java/org/apache/shiro/guice/web/GuiceShiroFilter.java

@@ -18,6 +18,7 @@
  */
 package org.apache.shiro.guice.web;
 
+import org.apache.shiro.web.config.ShiroFilterConfiguration;
 import org.apache.shiro.web.filter.mgt.FilterChainResolver;
 import org.apache.shiro.web.mgt.WebSecurityManager;
 import org.apache.shiro.web.servlet.AbstractShiroFilter;
@@ -31,8 +32,9 @@
  */
 public class GuiceShiroFilter extends AbstractShiroFilter {
     @Inject
-    GuiceShiroFilter(WebSecurityManager webSecurityManager, FilterChainResolver filterChainResolver) {
+    GuiceShiroFilter(WebSecurityManager webSecurityManager, FilterChainResolver filterChainResolver, ShiroFilterConfiguration filterConfiguration) {
         this.setSecurityManager(webSecurityManager);
         this.setFilterChainResolver(filterChainResolver);
+        this.setShiroFilterConfiguration(filterConfiguration);
     }
 }

support/guice/src/main/java/org/apache/shiro/guice/web/WebGuiceEnvironment.java

@@ -21,6 +21,7 @@
 import com.google.inject.Inject;
 import com.google.inject.Singleton;
 import org.apache.shiro.mgt.SecurityManager;
+import org.apache.shiro.web.config.ShiroFilterConfiguration;
 import org.apache.shiro.web.env.EnvironmentLoaderListener;
 import org.apache.shiro.web.env.WebEnvironment;
 import org.apache.shiro.web.filter.mgt.FilterChainResolver;
@@ -35,11 +36,14 @@ class WebGuiceEnvironment implements WebEnvironment {
     private ServletContext servletContext;
     private WebSecurityManager securityManager;
 
+    private ShiroFilterConfiguration filterConfiguration;
+
     @Inject
-    WebGuiceEnvironment(FilterChainResolver filterChainResolver, @Named(ShiroWebModule.NAME) ServletContext servletContext, WebSecurityManager securityManager) {
+    WebGuiceEnvironment(FilterChainResolver filterChainResolver, @Named(ShiroWebModule.NAME) ServletContext servletContext, WebSecurityManager securityManager, ShiroFilterConfiguration filterConfiguration) {
         this.filterChainResolver = filterChainResolver;
         this.servletContext = servletContext;
         this.securityManager = securityManager;
+        this.filterConfiguration = filterConfiguration;
 
         servletContext.setAttribute(EnvironmentLoaderListener.ENVIRONMENT_ATTRIBUTE_KEY, this);
     }
@@ -59,4 +63,8 @@ public WebSecurityManager getWebSecurityManager() {
     public SecurityManager getSecurityManager() {
         return securityManager;
     }
+
+    public ShiroFilterConfiguration getShiroFilterConfiguration() {
+        return filterConfiguration;
+    }
 }

support/guice/src/test/java/org/apache/shiro/guice/web/GuiceShiroFilterTest.java

@@ -19,13 +19,13 @@
 package org.apache.shiro.guice.web;
 
 import com.google.inject.spi.InjectionPoint;
+import org.apache.shiro.web.config.ShiroFilterConfiguration;
 import org.apache.shiro.web.filter.mgt.FilterChainResolver;
 import org.apache.shiro.web.mgt.WebSecurityManager;
 import org.junit.Test;
 
-import static org.easymock.EasyMock.createMock;
-import static org.junit.Assert.assertSame;
-import static org.junit.Assert.fail;
+import static org.easymock.EasyMock.*;
+import static org.junit.Assert.*;
 
 public class GuiceShiroFilterTest {
 
@@ -42,10 +42,17 @@ public void ensureInjectable() {
     public void testConstructor() {
         WebSecurityManager securityManager = createMock(WebSecurityManager.class);
         FilterChainResolver filterChainResolver = createMock(FilterChainResolver.class);
+        ShiroFilterConfiguration filterConfiguration = createMock(ShiroFilterConfiguration.class);
+        expect(filterConfiguration.isStaticSecurityManagerEnabled()).andReturn(true);
+        expect(filterConfiguration.isFilterOncePerRequest()).andReturn(false);
 
-        GuiceShiroFilter underTest = new GuiceShiroFilter(securityManager, filterChainResolver);
+        replay(securityManager, filterChainResolver, filterConfiguration);
+
+        GuiceShiroFilter underTest = new GuiceShiroFilter(securityManager, filterChainResolver, filterConfiguration);
 
         assertSame(securityManager, underTest.getSecurityManager());
         assertSame(filterChainResolver, underTest.getFilterChainResolver());
+        assertTrue(underTest.isStaticSecurityManagerEnabled());
+        assertFalse(underTest.isFilterOncePerRequest());
     }
 }

support/guice/src/test/java/org/apache/shiro/guice/web/ShiroWebModuleTest.java

@@ -30,6 +30,7 @@
 import org.apache.shiro.mgt.SecurityManager;
 import org.apache.shiro.realm.Realm;
 import org.apache.shiro.session.mgt.SessionManager;
+import org.apache.shiro.web.config.ShiroFilterConfiguration;
 import org.apache.shiro.web.env.EnvironmentLoader;
 import org.apache.shiro.web.env.WebEnvironment;
 import org.apache.shiro.web.filter.InvalidRequestFilter;
@@ -487,8 +488,8 @@ public static class MyDefaultWebSessionManager extends DefaultWebSessionManager
 
     public static class MyWebEnvironment extends WebGuiceEnvironment {
         @Inject
-        MyWebEnvironment(FilterChainResolver filterChainResolver, @Named(ShiroWebModule.NAME) ServletContext servletContext, WebSecurityManager securityManager) {
-            super(filterChainResolver, servletContext, securityManager);
+        MyWebEnvironment(FilterChainResolver filterChainResolver, @Named(ShiroWebModule.NAME) ServletContext servletContext, WebSecurityManager securityManager, ShiroFilterConfiguration filterConfiguration) {
+            super(filterChainResolver, servletContext, securityManager, filterConfiguration);
         }
     }
 

support/guice/src/test/java/org/apache/shiro/guice/web/WebGuiceEnvironmentTest.java

@@ -19,6 +19,7 @@
 package org.apache.shiro.guice.web;
 
 import com.google.inject.spi.InjectionPoint;
+import org.apache.shiro.web.config.ShiroFilterConfiguration;
 import org.apache.shiro.web.env.EnvironmentLoaderListener;
 import org.apache.shiro.web.filter.mgt.FilterChainResolver;
 import org.apache.shiro.web.mgt.WebSecurityManager;
@@ -47,13 +48,14 @@ public void testConstructor() {
         WebSecurityManager securityManager = createMock(WebSecurityManager.class);
         FilterChainResolver filterChainResolver = createMock(FilterChainResolver.class);
         ServletContext servletContext = createMock(ServletContext.class);
+        ShiroFilterConfiguration filterConfiguration = createMock(ShiroFilterConfiguration.class);
 
         Capture<WebGuiceEnvironment> capture = Capture.newInstance();
         servletContext.setAttribute(eq(EnvironmentLoaderListener.ENVIRONMENT_ATTRIBUTE_KEY), and(anyObject(WebGuiceEnvironment.class), capture(capture)));
 
         replay(servletContext, securityManager, filterChainResolver);
 
-        WebGuiceEnvironment underTest = new WebGuiceEnvironment(filterChainResolver, servletContext, securityManager);
+        WebGuiceEnvironment underTest = new WebGuiceEnvironment(filterChainResolver, servletContext, securityManager, filterConfiguration);
 
         assertSame(securityManager, underTest.getSecurityManager());
         assertSame(filterChainResolver, underTest.getFilterChainResolver());

support/spring/src/main/java/org/apache/shiro/spring/web/ShiroFilterFactoryBean.java

@@ -24,6 +24,7 @@
 import org.apache.shiro.util.Nameable;
 import org.apache.shiro.util.StringUtils;
 import org.apache.shiro.web.config.IniFilterChainResolverFactory;
+import org.apache.shiro.web.config.ShiroFilterConfiguration;
 import org.apache.shiro.web.filter.AccessControlFilter;
 import org.apache.shiro.web.filter.InvalidRequestFilter;
 import org.apache.shiro.web.filter.authc.AuthenticationFilter;
@@ -35,6 +36,7 @@
 import org.apache.shiro.web.filter.mgt.PathMatchingFilterChainResolver;
 import org.apache.shiro.web.mgt.WebSecurityManager;
 import org.apache.shiro.web.servlet.AbstractShiroFilter;
+import org.apache.shiro.web.servlet.OncePerRequestFilter;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.BeansException;
@@ -135,15 +137,18 @@ public class ShiroFilterFactoryBean implements FactoryBean<AbstractShiroFilter>,
 
     private AbstractShiroFilter instance;
 
+    private ShiroFilterConfiguration filterConfiguration;
+
     public ShiroFilterFactoryBean() {
         this.filters = new LinkedHashMap<String, Filter>();
         this.globalFilters = new ArrayList<>();
         this.globalFilters.add(DefaultFilter.invalidRequest.name());
         this.filterChainDefinitionMap = new LinkedHashMap<String, String>(); //order matters!
+        this.filterConfiguration = new ShiroFilterConfiguration();
     }
 
     /**
-     * Sets the application {@code SecurityManager} instance to be used by the constructed Shiro Filter.  This is a
+     * Gets the application {@code SecurityManager} instance to be used by the constructed Shiro Filter.  This is a
      * required property - failure to set it will throw an initialization exception.
      *
      * @return the application {@code SecurityManager} instance to be used by the constructed Shiro Filter.
@@ -162,6 +167,24 @@ public void setSecurityManager(SecurityManager securityManager) {
         this.securityManager = securityManager;
     }
 
+    /**
+     * Gets the application {@code ShiroFilterConfiguration} instance to be used by the constructed Shiro Filter.
+     *
+     * @return the application {@code ShiroFilterConfiguration} instance to be used by the constructed Shiro Filter.
+     */
+    public ShiroFilterConfiguration getShiroFilterConfiguration() {
+        return filterConfiguration;
+    }
+
+    /**
+     * Sets the application {@code ShiroFilterConfiguration} instance to be used by the constructed Shiro Filter.
+     *
+     * @param filterConfiguration the application {@code SecurityManager} instance to be used by the constructed Shiro Filter.
+     */
+    public void setShiroFilterConfiguration(ShiroFilterConfiguration filterConfiguration) {
+        this.filterConfiguration = filterConfiguration;
+    }
+
     /**
      * Returns the application's login URL to be assigned to all acquired Filters that subclass
      * {@link AccessControlFilter} or {@code null} if no value should be assigned globally. The default value
@@ -468,7 +491,7 @@ protected AbstractShiroFilter createInstance() throws Exception {
         //FilterChainResolver.  It doesn't matter that the instance is an anonymous inner class
         //here - we're just using it because it is a concrete AbstractShiroFilter instance that accepts
         //injection of the SecurityManager and FilterChainResolver:
-        return new SpringShiroFilter((WebSecurityManager) securityManager, chainResolver);
+        return new SpringShiroFilter((WebSecurityManager) securityManager, chainResolver, getShiroFilterConfiguration());
     }
 
     private void applyLoginUrlIfNecessary(Filter filter) {
@@ -511,6 +534,10 @@ private void applyGlobalPropertiesIfNecessary(Filter filter) {
         applyLoginUrlIfNecessary(filter);
         applySuccessUrlIfNecessary(filter);
         applyUnauthorizedUrlIfNecessary(filter);
+
+        if (filter instanceof OncePerRequestFilter) {
+            ((OncePerRequestFilter) filter).setFilterOncePerRequest(filterConfiguration.isFilterOncePerRequest());
+        }
     }
 
     /**
@@ -549,12 +576,13 @@ public Object postProcessAfterInitialization(Object bean, String beanName) throw
      */
     private static final class SpringShiroFilter extends AbstractShiroFilter {
 
-        protected SpringShiroFilter(WebSecurityManager webSecurityManager, FilterChainResolver resolver) {
+        protected SpringShiroFilter(WebSecurityManager webSecurityManager, FilterChainResolver resolver, ShiroFilterConfiguration filterConfiguration) {
             super();
             if (webSecurityManager == null) {
                 throw new IllegalArgumentException("WebSecurityManager property cannot be null.");
             }
             setSecurityManager(webSecurityManager);
+            setShiroFilterConfiguration(filterConfiguration);
 
             if (resolver != null) {
                 setFilterChainResolver(resolver);

support/spring/src/main/java/org/apache/shiro/spring/web/config/AbstractShiroWebFilterConfiguration.java

@@ -20,6 +20,7 @@
 
 import org.apache.shiro.mgt.SecurityManager;
 import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
+import org.apache.shiro.web.config.ShiroFilterConfiguration;
 import org.apache.shiro.web.filter.mgt.DefaultFilter;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
@@ -40,6 +41,9 @@ public class AbstractShiroWebFilterConfiguration {
     @Autowired
     protected ShiroFilterChainDefinition shiroFilterChainDefinition;
 
+    @Autowired(required = false)
+    protected ShiroFilterConfiguration shiroFilterConfiguration;
+
     @Autowired(required = false)
     protected Map<String, Filter> filterMap;
 
@@ -56,6 +60,12 @@ protected List<String> globalFilters() {
         return Collections.singletonList(DefaultFilter.invalidRequest.name());
     }
 
+    protected ShiroFilterConfiguration shiroFilterConfiguration() {
+        return shiroFilterConfiguration != null
+                ? shiroFilterConfiguration
+                : new ShiroFilterConfiguration();
+    }
+
     protected ShiroFilterFactoryBean shiroFilterFactoryBean() {
         ShiroFilterFactoryBean filterFactoryBean = new ShiroFilterFactoryBean();
 
@@ -64,6 +74,7 @@ protected ShiroFilterFactoryBean shiroFilterFactoryBean() {
         filterFactoryBean.setUnauthorizedUrl(unauthorizedUrl);
 
         filterFactoryBean.setSecurityManager(securityManager);
+        filterFactoryBean.setShiroFilterConfiguration(shiroFilterConfiguration());
         filterFactoryBean.setGlobalFilters(globalFilters());
         filterFactoryBean.setFilterChainDefinitionMap(shiroFilterChainDefinition.getFilterChainMap());
         filterFactoryBean.setFilters(filterMap);