I declared some constrained URLs that require form based login. I also defined a filter for the same constrained URLs (i.e. both have same <url-pattern> . My problem is when an unauthenticated client first requests the constrained URL, he should be prompted with the login form rather than responded with the url. Then, does this counted as a request for the constrained URLs and cause the filter invoked?
I tested with tomcat, and it will call the filter only after a successful login. This seems logical but is this a guaranteed behaviour? I searched thru the spec and couldnt find an explicitly specification on the behavior for this scenario!
SRV.12.2 The security model applies to the static content part of the web application and to servlets and filters within the application that are requested by the client.
As I understand it, the container will ensure authentication before calling any filters. This should be guaranteed behavior. (Emphasis on filters is mine)
“Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.” - Rich Cook