Can I "cut" the chain in the filter?

In my web application, some servlet should be accessed while logged in, and I wrote this code.

protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { HttpSession session = request.getSession(false); PlayerLocal player = null; try { if (session == null || (player = (PlayerLocal) session.getAttribute("playerBean")) == null) { response.sendRedirect("/login.html"); return; } } catch (IllegalStateException ex) { response.sendRedirect("/login.html"); return; } /* omitted */ } protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { processRequest(request, response); } protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { processRequest(request, response); }

However, this idea requires to write these code on each login-only servlet, and I think it is a bad idea.

So, I want to move that code to filter like this.

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpSession session = request.getSession(false); PlayerLocal player = null; try { if (session == null || (player = (PlayerLocal) session.getAttribute("playerBean")) == null) { response.sendRedirect("/login.html"); return; } } catch (IllegalStateException ex) { response.sendRedirect("/login.html"); return; } chain.doFilter(wrappedRequest, wrappedResponse); }

If I use this code, it'll "cut" filter chain and make redirect response.

* Is this approach "safe"? container-independent?
* Is there better way to handle this problem?

Bupjae,
It's ok to "cut" the filter chain. This pattern is often used for security - if the user doesn't pass the security check, the user shouldn't be allowed to go on to the servlet.

I think your best option would be to use <security-constraint> tag in web.xml
There you can state in what url-patterns and servlets the user must have logged-in before accesing them.
And use <login-config> tag to specify the login and login-error page.
Check head first servlets & jsp book, it's explained very well in there. I think there's a tutorial at javaranch but I'm not sure.

That doesn't give you much control over the process. I prefer to use a filter.

Although in this case I'm not getting what the OP is trying to do. What's the point of catching the illegal state exception and trying the same thing again?
[ August 29, 2008: Message edited by: Bear Bibeault ]

Thanks for reply. I applied that filter, and it works well.

For <security-constraint>, I don't want to use text-based realm,
but I don't know how to connect my user-info database and <security-constraint>.

The reason I catch IllegalStateException is that invalided session throws that exception when I tried to call getAttribute.

[Edit: I modified some typo]
[ August 30, 2008: Message edited by: Bupjae Lee ]

Then your code is structured poorly with needless repetition. Consider how you could restructure the code to not have to repeat the redirect in more than one place.

I first thought that request.getSession(false) could return already invalid session object.

However, I reread API and found this sentence: "If create is false and the request has no valid HttpSession, this method returns null."

So, I could get rid of needless code. Thanks for pointing my mistake.