Security filter question

Since the request from the client is first intercepted by the filter how can it sauthenticate the user since there is no info available bout the user.Do i need to call the database from the doFilter method to validate the credentials? If yes then whats the use of using the security filter as this task can be done without it as well?

hi,
the idea of security filter is that you can encapsulate security outside of your servlets/jsps.

By itercepting every request, filter can verify if the user already established a session with the system, if not, you can redirect to a login screen and validate user credentials (via database, ldap, etc.) before the user access any secured content.

That way, you can code your servlets an jsps "ignoring" security, trusting filters authentication. This scheme makes your app more maintainable and easy to code and understand.

If you're using container managed security, there is no need for one.

If you're implementing your own security, a filter is a very easy way to check for the needed session objects or redirect to the login screen for every request without having to paste the same code into every servlet/jsp.