As per my understanding, the order of filter execution is the order they are defined in the web.xml for the same url-mapping. But I could not find any reference how this behaves, if we have multiple filters defined for same url-mapping across the container's web.xml and individual application's web.xml
My assumption was, since an application is deployed as part of a container, say tomcat, which has web.xml of its own, any requests targeted for each such deployed app, will have to go through the filter chain defined in tomcat/conf/web.xml before going through application filters. But my understanding is wrong
I have a simple web app with two filters defined in web.xml as follows
Without any further change, if I hit my web url as
, I see AppFilterOne and AppFilterTwo being hit in that order.
Now, I added two more filters in my tomcat/conf/web.xml (My tomcat version is 7.0.27 and supporting servlet 3.0)
Now, if I access
, the filters executed in the below order
My initial assumtion was, the TomWebFilters will intercept first and then the application specific filters.
If the results I see are actually correct and that is how the filters work, is there a way I can influence the execution order of the filter. I heard about <absolute-ordering> but not sure, if that is the correct approach here.
A little back ground my actual problem:
We have a bunch of web applications deployed in different vm's in tomcat 7X instance. Each of these web application has an audit filter that audits and logs each incoming requests. However, in tomcat /conf/web.xml a filter is defined to support NTLM authentication (JCIFS flavor). Because of this setup, every requests coming in are actually logged (as part of audit filter) and then filtered for NTLM. We want the NTLM to happen first and then anything else.
There are couple of approaches, I'm thinking here
A) Instead of defining in tomcat/conf/web.xml, we may need to define that filter as the first filter in each application.
B) Have NTLM filter set an attribute in request, stating the status of the NTLM process and our audit filter will check for this for two times (i.e for two 401 HTTP status codes), and return back.
I'm not particularly happy with both approaches and hence wondering what can be done