This week's book giveaway is in the OCPJP forum.
We're giving away four copies of OCA/OCP Java SE 7 Programmer I & II Study Guide and have Kathy Sierra & Bert Bates on-line!
See this thread for details.
The moose likes Servlets and the fly likes Can I Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCA/OCP Java SE 7 Programmer I & II Study Guide this week in the OCPJP forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Can I "cut" the chain in the filter?" Watch "Can I "cut" the chain in the filter?" New topic
Author

Can I "cut" the chain in the filter?

Bupjae Lee
Ranch Hand

Joined: May 14, 2007
Posts: 107
In my web application, some servlet should be accessed while logged in, and I wrote this code.



However, this idea requires to write these code on each login-only servlet, and I think it is a bad idea.

So, I want to move that code to filter like this.



If I use this code, it'll "cut" filter chain and make redirect response.

* Is this approach "safe"? container-independent?
* Is there better way to handle this problem?
Jeanne Boyarsky
author & internet detective
Marshal

Joined: May 26, 2003
Posts: 30789
    
157

Bupjae,
It's ok to "cut" the filter chain. This pattern is often used for security - if the user doesn't pass the security check, the user shouldn't be allowed to go on to the servlet.


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
Angel J Gama
Ranch Hand

Joined: Jun 28, 2007
Posts: 36
I think your best option would be to use <security-constraint> tag in web.xml
There you can state in what url-patterns and servlets the user must have logged-in before accesing them.
And use <login-config> tag to specify the login and login-error page.
Check head first servlets & jsp book, it's explained very well in there. I think there's a tutorial at javaranch but I'm not sure.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61447
    
  67

That doesn't give you much control over the process. I prefer to use a filter.

Although in this case I'm not getting what the OP is trying to do. What's the point of catching the illegal state exception and trying the same thing again?
[ August 29, 2008: Message edited by: Bear Bibeault ]

[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Bupjae Lee
Ranch Hand

Joined: May 14, 2007
Posts: 107
Thanks for reply. I applied that filter, and it works well.

For <security-constraint>, I don't want to use text-based realm,
but I don't know how to connect my user-info database and <security-constraint>.

The reason I catch IllegalStateException is that invalided session throws that exception when I tried to call getAttribute.

[Edit: I modified some typo]
[ August 30, 2008: Message edited by: Bupjae Lee ]
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61447
    
  67

Then your code is structured poorly with needless repetition. Consider how you could restructure the code to not have to repeat the redirect in more than one place.
Bupjae Lee
Ranch Hand

Joined: May 14, 2007
Posts: 107
I first thought that request.getSession(false) could return already invalid session object.

However, I reread API and found this sentence: "If create is false and the request has no valid HttpSession, this method returns null."

So, I could get rid of needless code. Thanks for pointing my mistake.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Can I "cut" the chain in the filter?