I'm working on setting up a security filter (to test if userid == null, then the user will be redirected back to the login page). I am working on the filter right now, but I'm curious how to define the correct filter-mapping. Basically, I have several jsp files in the same directory, but one is login.jsp and I don't want the filter to apply to that page because clearly the userid isn't yet specified when you hit the login page. So I can't use this:
Is there a way to define the url-pattern so that it applies to every jsp file EXCEPT for login.jsp? I'm not the best with regular expressions so if I were going to do an ls command or something, I would just grep *.jsp and then pipe that into a grep -v like this:
It's probably not the most efficient or elegant solution but it works there. Unfortunately, I think I need to specify everything in the <url-pattern> tags with a single regex. Can anyone tell me how to accomplish that? Is it possible specify something in there like !(login)*.jsp??
I am not sure of the best way to do what you are asking in the web.xml - however, you could conceivably have your filter check to see if the request is for "login.jsp", and simply do nothing other than call chain.doFilter() in such a case. I think this would achieve what you're looking to do, if not in the location you are attempting to do it.
In preparing for battle I have always found that plans are useless, but planning is indispensable. -- Dwight D. Eisenhower
Thanks for the replies folks. Correct me if I am wrong, but are you both actually suggesting the same thing just in different words? Please understand this is uncharted territory for me here. While I am quite proficient in Java (J2SE anyway) I have never used any servlet filters before and have never really done any J2EE stuff at all until getting my most recent job a few weeks ago. From what I am reading on google it sort of seems like I need to pull the value of the servlet being requested out of the HttpServletRequest object and check to see if it's "/login.jsp" or not. Furthermore, Bear is simply suggesting that I place the value of login.jsp into an <init-param> instead of hard-coding the string "/login.jsp" -- is that correct or no?
So would something like this work?
It seems to me like Bear's suggestion is to add an instance variable to the class and then inside of init() I would save the value returned by config.getInitParameter() into my String instance variable (which should be "/login.jsp"). Then inside of the doFilter() method I would just have an if test comparing file and my instance variable instead of comparing it to the literal "/login.jsp" ...is that right?
In any case I'll try this out when I get back to work next week. Thanks again!
Correct me if I am wrong, but are you both actually suggesting the same thing just in different words?
I think that's pretty much correct (I'm sure Bear will correct me if I'm wrong here). I am suggesting that your filter "handles" requests to login.jsp by simply ignoring them and letting them pass without any intervention by the filter. Bear is making an additional design suggestion (a good one) to use a variable to hold an exclusion list, rather than hard coding "login.jsp" into the filter.
I think the ultimate point is that if the filter-mapping facility of the web container doesn't give you enough control, you still have the ability to do a lot more fine-grain inspection of the Request object within the Filter code itself. The Filter can always decline from taking any action.
Hooray...it works! There are some other problems that prevent this from working yet but they are specific to the application that I am working on. I can at least see that the filter code is working correctly though. Thanks guys!