Using a filter to block access to certain web pages.

Hi Folks,

I'm trying to modify an existing filter that I've written to implement role based access.

Here's the code that I've written . I'm trying to prevent access to a set of pages if the user's role_id isnt 1.It would be great if anyone could help me with it.
Thanks a lot for your time.
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest httprequest = (HttpServletRequest) request; HttpServletResponse httpresponse = (HttpServletResponse) response; if ( httprequest.getRequestURI().indexOf("public/login.jsp") == -1) { HttpSession session = httprequest.getSession(); User logged = (User) session.getAttribute("user1"); if ( logged == null ) { System.out.println("Redirecting to login page as user is null"); httpresponse.sendRedirect("../public/login.jsp"); return; } System.out.println(logged.getStrfullName()); if(logged.getNroleid()!=1){ /* * And the url requested is amongst a set of pages then redirect to home page.How do I implement this? */ } }
Thanks again!

Hi,
One of easy way for it will be use any security API ( eg. spring security api).

Im not using any frameworks because of client specifications.

HttpServletResponse has a method you can call to cause a redirect.

In this post (User Authentication (Filter/Servlet)) I show a way to configure a login using a Filter.

I hope it helps you.

Tim Moores wrote:HttpServletResponse has a method you can call to cause a redirect.

If you mean sendRedirect() method , I think I'm already using it.
Let me explain.
My problem now is to block access to users who try to access pages that they dont have rights to, by changing the url in the browser manually. So if anyone could suggest a method that I could write in my filter , the would help prevent access to certain pages that users who dont have the required access rights(given by users whose role_id is not 1).
Hope Im being clear.
Thanks.

Hebert Coelho wrote:In this post (User Authentication (Filter/Servlet)) I show a way to configure a login using a Filter.

I hope it helps you.

I did have a look . However it doesnt seem to address my issue that I have explained above?

Vic Hood wrote:If you mean sendRedirect() method , I think I'm already using it.

Well, not in the code you posted. It would seem that it needs to go in the spot where you indicated that something is missing.

Tim Moores wrote:

Vic Hood wrote:If you mean sendRedirect() method , I think I'm already using it.

Well, not in the code you posted. It would seem that it needs to go in the spot where you indicated that something is missing.

Well , just sendRedirect there in the form
if(logged.getNroleid()!=1){ httpresponse.sendRedirect("../public/home.jsp"); } } // Assuming home.jsp is the redirected page.
This would cause an infinite loop . Could you elaborate your suggestion?

I havent really used filters before . So it would be great if someone could point to what Im doing wrong..Or whether my approach is inherently flawed..

Your approach seems fine to me. As for the missing bit of your code: you have access to the request, so you can extract the "page" from the URL. Then you can compare it to the list of allowable pages (where you get this list from and how you do the comparing isn't really a question about filters) and redirect if the page isn't in that list. You already know how to redirect, so I'm not clear on what your problem is now.

Hi Paul,
Thanks for reply.
A few questions . How exactly do I extract the page from the URL?
Assuming that I do get access to the page thats requested for from the URL .
Then is my pseudo code below correct?
HttpSession session = httprequest.getSession(); User logged = (User) session.getAttribute("user1"); String url=// get the requested URL some how; ArrayList<String> URLcollection= new ArrayList<String>(); //Contains list of urls that need to be restricted. if ( logged == null ) { System.out.println("Redirecting to login page as user is null"); httpresponse.sendRedirect("../public/login.jsp"); return; } if(logged.getNroleid()!=1 && URLcollection.contains(url)){ /* *then redirect to home page */ }

Slightly off-topic, but your doFilter method should end with chain.doFilter(request, response); to allow any other filters to be called as well.

Hey Rob,
Thanks for the reply! I just forgot to copy paste the code correctly. I do have the doFilter part in my code.Could anyone helpme with my earlier problem of extracting the requeted url
?
Or should I make a separate topic for that?
Thanks

Vic Hood wrote:Hi Paul,
Thanks for reply.
A few questions . How exactly do I extract the page from the URL?
Assuming that I do get access to the page thats requested for from the URL .
Then is my pseudo code below correct?
HttpSession session = httprequest.getSession(); User logged = (User) session.getAttribute("user1"); String url=// get the requested URL some how; ArrayList<String> URLcollection= new ArrayList<String>(); //Contains list of urls that need to be restricted. if ( logged == null ) { System.out.println("Redirecting to login page as user is null"); httpresponse.sendRedirect("../public/login.jsp"); return; } if(logged.getNroleid()!=1 && URLcollection.contains(url)){ /* *then redirect to home page */ }

I don't have access to the servlet API at the moment. I suppose I could google it up, but I assume that you have access to it so you can look at it. Look at the methods for the HttpServletRequest interface and pick one which looks like it should do the trick. Or if none of them strikes your fancy, then pick several of them. Try them to see what they do. (Really I shouldn't have to tell programmers to do this sort of thing.)

And to make it easier, just click on the word HttpServletRequest to directly open its Javadoc page.

Okay I get the point . I will do as suggested .However , I was only looking to confirm whether my approach is correct.Any comments on that would be appreciated.