New question on SERVLET filter

In my code below, if the validatedUser == true then I get stuck in a loop in that the method completes but then I come right back into the method yet again and again... The page is never redirected to the index.jsp page.

If the user is NOT validated the sendRedirect to the validationFailed.jsp page works GREAT, thanks to Nirvan's help. But if the user IS validated then again I'm just stuck in that the doFilter() is just executed repetitively.

The only thing that I can think of is that the REDIRECT for a validated user is the SAME as the URI. Is that the issue? If so, how can I correct it so as to redirect the user and get out of the doFIlter()?

I do not understand what am I doing wrong? If the user IS validated how can I just redirect this user to the "/CSC-ARXfer/faces/index.jsp" page? That is all I'm needing to do.

Any help/direction/suggestion would be greatly appreciated. Here is the code:

public void doFilter(ServletRequest request, ServletResponse response, FilterChain fc) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest)request; HttpServletResponse resp = (HttpServletResponse)response; String URI = req.getRequestURI(); int indexURI = URI.indexOf("/index.jsp"); if (indexURI == 17) { userID = request.getParameter("user").trim().toUpperCase(); if (userID != null) { // Test Invalid USERID //userID = "bugsbunny"; // Validate user boolean validatedUser = userService.validateUserID(userID); // Redirect user depending on value of validatedUser if (validatedUser) { resp.sendRedirect("/CSC-ARXfer/faces/index.jsp?user="+userID); } else { resp.sendRedirect("/CSC-ARXfer/faces/validationFailed.jsp"); } } else{ resp.sendRedirect("/CSC-ARXfer/faces/validationFailed.jsp"); } } else { fc.doFilter(request, response); } }

You know, you're really making a good case for my contention that in addition to being insecure, Do-It-Yourself security systems are really expensive to implement compared to using the pre-debugged alternatives.

I think that your problem is that you're not checking to see if the initial target of the request isn't already your redirect page. Since you're authenticated, that just means you'd end up redirecting to the same page you're already coming to.

Try putting in a test for the target URL and if it's the same as the redirect URL, don't redirect.

If the targetURL == "/CSC-ARXfer/faces/index.jsp" then what? What do I need to enter here?

Therein lies my question?

Once I get the validatedUser value and I just test for the invalidated user then my redirect to the validationFailed.jsp work great.

However, when get a validated user, I get the URL in the address field of my browser but I've get a blank page.

What did I do wrong? Your response is appreciated and I've read your numerous posts on security systems. But try to help me on my question if you don't mind. Thank you.

Seriously, the biggest help I can give is the advice to choose your battles. Time spent re-inventing security functions is time (and money) that could have been spent on tasks that are unique to your business. If you have time to burn, a lot of people out here want to know where to send their résumés!

However, from a purely technical point, the usual thing to do if you're already at your destination is nothing at all.

More specifically, since you're dealing with servlet filters, and they're chained together, just pass the request to the next filter in the chain using the FilterChain doFilter method and don't redirect the URL.

Tim, thanks. Yes. I've already tried doing the following and I think that is what you are suggesting:

if (validatedUser) { fc.doFilter(request, response); } else { resp.sendRedirect("/CSC-ARXfer/faces/validationFailed.jsp"); }

And when I do that I just go into a perpetual loop. Meaning the doFilter method gets executed again and again and again... Exactly what am I doing wrong here?

From a purely technical stand point, and I don't even pretend to know about the FilterChain, much less JSF, it would appear that I'm using the FilterChain incorrectly because it does NOT work in the scenario above.

Any other suggestions/direction would again be appreciated. Thanks.

The loop should end with this. But I do not think filter is the right way to solve your problem. But I do not have a better solution so...
if (validatedUser || URI.endsWith("/CSC-ARXfer/faces/validationFailed.jsp")) { fc.doFilter(request, response); } else { resp.sendRedirect("/CSC-ARXfer/faces/validationFailed.jsp"); }

Ilari,

That definitely ended the loop and I was able to get to my web page without issue. Thank you so much for your quick reply.

I would be interested to know your thoughts on what the right way is to resolve validation of a user before any pages are rendered or started to render if not by way of a servlet filter. I did understand that a PhaseListener was also an option but that looked a lot more complicated than using a servlet filter. What I thought, mistakenly, that the servlet filter would be a lot easier but it turned out, for me at least, to be quite a challenge. I am a newbie to JSF and using this framework has proved to me that it is more complicated and complex than I would have thought.

Again your help was very much appreciated. Thank you so much.

Well if it has to be before anything else has started to happen then using the filter is a good answer yes
But it seems like so much work has been done just to prevent the user to get on the site. I hope that you have use for the filter later on. I mean do you use it as a filter that checks on every page load that the user is "logged in"? Cause it fits to that use well.

And servlet filters are not part of the JSF but part of the basic Java servlet structure so the filter solution would have worked in any other Java web framework. And therefore your question was actually in the wrong section.

A common way to do that is to have a login page where the user provides his/her password, and if that checks out, the user ID is stored in the session as the "user" attribute.

Then the servlet filter looks at the session; if there is a session, and if it has a "user" attribute, then the user is authenticated and it continues to process the request. If not, then it redirects to the login page.

Trying to store the user ID in hidden fields in every single form (if that's really your solution) seems like a rather clumsy way to deal with authentication.

Ilari - Thanks. It is supposed to be used to check the logged in user.

However, after the user is validated, and I've gotten to the index.jsp page successfully the URL is as follows:

http://machinename.company.org:9081/CSC-ARXfer/faces/index.jsp?user=SavoyM

I complete the fields in the index page and click on the submit button it executes the backing bean which is defined in the action which is described as createTransaction(). In that backing bean I return null so that the index.jsp web page reloads but now I am NOT getting the user=SavoyM parameter or its value. Here is the URL that is at the top of my page when the web page reloads with an error.

http://machinename.company.org:9081/CSC-ARXfer/faces/index.jsp

[11/5/10 14:03:24:500 CDT] 00000016 servlet E com.ibm.ws.webcontainer.servlet.ServletWrapper service SRVE0068E: Uncaught exception created in one of the service methods of the servlet Faces Servlet in application CSC-ARXferEAR. Exception created : javax.servlet.ServletException: /index.jsp(88,105) '#{userBean.userID}' java.lang.NullPointerException at javax.faces.webapp.FacesServlet.service(FacesServlet.java:277) at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1661) at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1595) at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:104) at com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter(WebAppFilterChain.java:77) at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:895) at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:932) at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:500) at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:178) at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:91) at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:864) at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1583) at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:183) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:455) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:384) at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:83) at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:165) at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217) at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161) at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138) at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204) at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775) at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905) at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1550) Caused by: org.apache.jasper.el.JspELException: /index.jsp(88,105) '#{userBean.userID}' java.lang.NullPointerException at org.apache.jasper.el.JspValueExpression.getValue(JspValueExpression.java:106) at javax.faces.component.UIOutput.getValue(UIOutput.java:184) at com.sun.faces.renderkit.html_basic.HtmlBasicInputRenderer.getValue(HtmlBasicInputRenderer.java:201) at com.sun.faces.renderkit.html_basic.HtmlBasicRenderer.getCurrentValue(HtmlBasicRenderer.java:284) at com.sun.faces.renderkit.html_basic.HtmlBasicRenderer.encodeEnd(HtmlBasicRenderer.java:154) at com.ibm.faces.renderkit.DefaultAjaxRenderer.encodeEnd(DefaultAjaxRenderer.java:83) at javax.faces.component.UIComponentBase.encodeEnd(UIComponentBase.java:850) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:946) at javax.faces.render.Renderer.encodeChildren(Renderer.java:148) at com.ibm.faces.renderkit.DefaultAjaxRenderer.encodeChildren(DefaultAjaxRenderer.java:73) at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:826) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:936) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:942) at com.sun.faces.application.ViewHandlerImpl.doRenderView(ViewHandlerImpl.java:289) at com.sun.faces.application.ViewHandlerImpl.renderView(ViewHandlerImpl.java:220) at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:110) at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100) at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:139) at javax.faces.webapp.FacesServlet.service(FacesServlet.java:266) ... 23 more Caused by: java.lang.NullPointerException at pagecode.UserBean.getUserID(UserBean.java:39) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:48) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37) at java.lang.reflect.Method.invoke(Method.java:600) at javax.el.BeanELResolver.getValue(BeanELResolver.java:273) at javax.el.CompositeELResolver.getValue(CompositeELResolver.java:143) at com.sun.faces.el.FacesCompositeELResolver.getValue(FacesCompositeELResolver.java:73) at org.apache.el.parser.AstValue.getValue(AstValue.java:97) at org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:185) at org.apache.jasper.el.JspValueExpression.getValue(JspValueExpression.java:100) ... 41 more [11/5/10 14:03:24:515 CDT] 00000016 webapp E com.ibm.ws.webcontainer.webapp.WebApp logServletError SRVE0293E: [Servlet Error]-[Faces Servlet]: org.apache.jasper.el.JspELException: /index.jsp(88,105) '#{userBean.userID}' java.lang.NullPointerException at org.apache.jasper.el.JspValueExpression.getValue(JspValueExpression.java:106) at javax.faces.component.UIOutput.getValue(UIOutput.java:184) at com.sun.faces.renderkit.html_basic.HtmlBasicInputRenderer.getValue(HtmlBasicInputRenderer.java:201) at com.sun.faces.renderkit.html_basic.HtmlBasicRenderer.getCurrentValue(HtmlBasicRenderer.java:284) at com.sun.faces.renderkit.html_basic.HtmlBasicRenderer.encodeEnd(HtmlBasicRenderer.java:154) at com.ibm.faces.renderkit.DefaultAjaxRenderer.encodeEnd(DefaultAjaxRenderer.java:83) at javax.faces.component.UIComponentBase.encodeEnd(UIComponentBase.java:850) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:946) at javax.faces.render.Renderer.encodeChildren(Renderer.java:148) at com.ibm.faces.renderkit.DefaultAjaxRenderer.encodeChildren(DefaultAjaxRenderer.java:73) at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:826) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:936) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:942) at com.sun.faces.application.ViewHandlerImpl.doRenderView(ViewHandlerImpl.java:289) at com.sun.faces.application.ViewHandlerImpl.renderView(ViewHandlerImpl.java:220) at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:110) at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100) at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:139) at javax.faces.webapp.FacesServlet.service(FacesServlet.java:266) at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1661) at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1595) at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:104) at com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter(WebAppFilterChain.java:77) at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:895) at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:932) at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:500) at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:178) at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:91) at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:864) at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1583) at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:183) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:455) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:384) at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:83) at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:165) at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217) at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161) at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138) at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204) at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775) at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905) at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1550) Caused by: java.lang.NullPointerException at pagecode.UserBean.getUserID(UserBean.java:39) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:48) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37) at java.lang.reflect.Method.invoke(Method.java:600) at javax.el.BeanELResolver.getValue(BeanELResolver.java:273) at javax.el.CompositeELResolver.getValue(CompositeELResolver.java:143) at com.sun.faces.el.FacesCompositeELResolver.getValue(FacesCompositeELResolver.java:73) at org.apache.el.parser.AstValue.getValue(AstValue.java:97) at org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:185) at org.apache.jasper.el.JspValueExpression.getValue(JspValueExpression.java:100) ... 41 more [11/5/10 14:03:24:515 CDT] 00000016 srt W com.ibm.ws.webcontainer.srt.SRTServletResponse setStatus WARNING: Cannot set status. Response already committed. [11/5/10 14:03:24:515 CDT] 00000016 srt W com.ibm.ws.webcontainer.srt.SRTServletResponse addHeader WARNING: Cannot set header. Response already committed. [11/5/10 14:03:24:640 CDT] 00000016 servlet I com.ibm.ws.webcontainer.servlet.ServletWrapper init SRVE0242I: [CSC-ARXferEAR] [/CSC-ARXfer] [/error.jsp]: Initialization successful.

Is there a way to correct this?

As Paul Clapman (and myself) implied in the previous posts the filter gets executed on every page load. So if you do not for example save the userId in session and add check in the aforementiened filter that the userId is either in the request (as it is the first time) or in the session then every consequent page load just forwards to validationFailed.jsp.
But I gathered that you undesrtood this? At least so did everyone else that suggested to you this filter solution. Unless you make the filter filter only calls to index.jsp but then it works only for if the user uses the link you provided. Much better solution would be the login page (and after that the session) that was suggested here and was suggested in the previous threads as well.

But I do not know why you get the Nullpointer there. Maybe you have a program logic that does not take into account the fact that userId is present only on first page load (i.e in the request the first time the user click the link).

Anyway, do not get me wrong but it seems to me that you way over your head here. It seems that you know so little about Servlets that you should start with the very basics first before you dive into more complicated code like JSF. It is very easy to use JSF (in my opinion, compared to Struts, or even basic servlets or jsp) but if you have little or no clue what happens behind the scene then nothing we say really helps you in any way. If you are forced to do this altough you do not understand what you are doing then I have to wish you good luck and hope for the best...

Thanks.