• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

What is the default order of filter execution defined in WEB-INF/web.xml and conf/web.xml

 
Ranch Hand
Posts: 558
2
Hibernate Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Hello All,

As per my understanding, the order of filter execution is the order they are defined in the web.xml for the same url-mapping. But I could not find any reference how this behaves, if we have multiple filters defined for same url-mapping across the container's web.xml and individual application's web.xml

My assumption was, since an application is deployed as part of a container, say tomcat, which has web.xml of its own, any requests targeted for each such deployed app, will have to go through the filter chain defined in tomcat/conf/web.xml before going through application filters. But my understanding is wrong

I have a simple web app with two filters defined in web.xml as follows



Without any further change, if I hit my web url as

http://localhost:8080/myapp

, I see AppFilterOne and AppFilterTwo being hit in that order.

Now, I added two more filters in my tomcat/conf/web.xml (My tomcat version is 7.0.27 and supporting servlet 3.0)



Now, if I access

http://localhost:8080/myapp

, the filters executed in the below order
AppFilterOne
AppFilterTwo
TomWebFilterOne
TomWebFilterTwo

My initial assumtion was, the TomWebFilters will intercept first and then the application specific filters.

If the results I see are actually correct and that is how the filters work, is there a way I can influence the execution order of the filter. I heard about <absolute-ordering> but not sure, if that is the correct approach here.


A little back ground my actual problem:
We have a bunch of web applications deployed in different vm's in tomcat 7X instance. Each of these web application has an audit filter that audits and logs each incoming requests. However, in tomcat /conf/web.xml a filter is defined to support NTLM authentication (JCIFS flavor). Because of this setup, every requests coming in are actually logged (as part of audit filter) and then filtered for NTLM. We want the NTLM to happen first and then anything else.

There are couple of approaches, I'm thinking here
A) Instead of defining in tomcat/conf/web.xml, we may need to define that filter as the first filter in each application.
B) Have NTLM filter set an attribute in request, stating the status of the NTLM process and our audit filter will check for this for two times (i.e for two 401 HTTP status codes), and return back.

I'm not particularly happy with both approaches and hence wondering what can be done

Thanks

 
Kumar Raja
Ranch Hand
Posts: 558
2
Hibernate Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
To fix my original problem, I removed the filter from the application web.xml to audit log, and instead used AOP for that purpose. It seems to be working fine .
 
Kumar Raja
Ranch Hand
Posts: 558
2
Hibernate Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
But I'm still curious to know, if there is a standard way to influence the filter sequence declared between WEB-INF/web.xml and conf/web.xml
 
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
To the best of my knowledge there is absolutely nothing in the J2EE spec about there being a common shadow webapp backing the actual webapps. That's just how Tomcat provides the services not explicitly defined in the webapps themselves.

So any webapp you design that depends on such an architecture would be non spec-compliant and likely to fail if your company got bought out by some bigger company who insisted that all webapps be hosted in WebSphere (for example).

Or, for that matter, if Tomcat should change to a different internal architecture in some future release.

A better place to handle authentication would be to use a Tomcat security Realm that integrates with NTLM. There are a few of them out there, although I don't believe that any come with the basic Tomcat package.

For auditing incoming URLs on a site-wide basis (as opposed to for a single webapp), the usual means is via a Valve. In fact, there's a pre-supplied Valve that Tomcat can employ to log access requests.

Using the mechanisms I just described can make your problem go away and avoid having to customize Tomcat's internals. Since they're employing standard extension mechanisms.
 
Kumar Raja
Ranch Hand
Posts: 558
2
Hibernate Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you Tim.

Yes, recently I heard about Tomcat Valve and will read more on this . Thanks for referring them here.
 
reply
    Bookmark Topic Watch Topic
  • New Topic