• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Filter URL Mapping

 
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have a requirement where in I have to implement a technique to validate the user before he starts accessing the application. Also, I need to check if a valid user has logged in whenever he accesses any page in the application. If the user has not logged in, then I should redirect the user to the login screen.

So I am using a Login Authentication filter to do this. I have placed the login related xhtml files in a folder /login/. Once the user is authenticated, then he is directed to application pages which are placed under /pages/... folder.

My filter mapping is given below:

<filter>
<filter-name>LoginFilter</filter-name>
<filter-class>com.validate.LoginFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>LoginFilter</filter-name>
<url-pattern>faces/pages/*</url-pattern>
</filter-mapping>

Scenario 1:
When the user access the login page directly from the browser, the login.xhtml page loads correctly. On click of login button in login.xhtml, the user is authenticated and transfered to application specific pages under /pages/welcomeuser.xhmtl. The filter is not invoked on click of login button in login.xhtml at this point in time, because the mapped url for filter is faces/pages/*. This scenario works fine.

Scenario 2:
Let's assume the user directly types the URL http://localhost:8020/pages/welcomeuser.xhtml. the expected behaviour should that the user should redirected to /login.login.xhtml page as the user is not validated yet.

In this case, the doFilter () method in LoginFilter is invoked. Inside this method, I am checking if the user object exists or not. If not exists, then I am redirecting the user to /login/login.xhtml. What happens now is, since I am doing a redirect to a page whose URL pattern matches with URL pattern of filter, it calls the doFilter() again and again and this goes into a indefinite loop.

Please let me know how to overcome this.

The do filter method is given below:

<code>
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
try {
log.info("doFilter ");
HttpServletRequest request = (HttpServletRequest) servletRequest;
CfsaosDTO cfsaosDTO = (CfsaosDTO) request.getSession().getAttribute("loggedInUser1");

log.info("doFilter1 " + cfsaosDTO);

CFSSecurityFactory.setCurrentUser(cfsaosDTO);
filterChain.doFilter(servletRequest, servletResponse);

// if(cfsaosDTO.equals(null))
// request.setAttribute("errorMsg", "Login Required");
// request.getRequestDispatcher(errorURL).forward(request, servletResponse);
// request.getRequestDispatcher("/index.jsp").forward(request, servletResponse);




} finally{

// UserUtil.removeUserId();
}
}
}

Thanks.
 
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Actually, I strongly discourage user-designed login processes because "user-designed" and "security" don't tend to work too well together.

However, if you must forgo the standard security system that comes built-in, pre-debugged and pre-validated with each and every J2EE/JEE server, the ServletFilter is the place to start.

The solution to this problem is simple (and usually when somebody starts off that way I want to punch him, but it's true in this case). In your servlet filter, check the incoming URL. If it's the Login URL, pass it straight through. Only check/process non-login URLs. That will avoid a recursion loop.
reply
    Bookmark Topic Watch Topic
  • New Topic