• Post Reply Bookmark Topic Watch Topic
  • New Topic

Filter and on Constrained Resource  RSS feed

 
Alec Lee
Ranch Hand
Posts: 569
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I declared some constrained URLs that require form based login. I also defined a filter for the same constrained URLs (i.e. both have same <url-pattern> . My problem is when an unauthenticated client first requests the constrained URL, he should be prompted with the login form rather than responded with the url. Then, does this counted as a request for the constrained URLs and cause the filter invoked?

I tested with tomcat, and it will call the filter only after a successful login. This seems logical but is this a guaranteed behaviour? I searched thru the spec and couldnt find an explicitly specification on the behavior for this scenario!
 
Paul Bourdeaux
Ranch Hand
Posts: 783
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
From the Servlet Specs

SRV.12.2
The security model applies to the static content part of the web application and to servlets and filters within the application that are requested by the client.


As I understand it, the container will ensure authentication before calling any filters. This should be guaranteed behavior. (Emphasis on filters is mine)
 
Don't get me started about those stupid light bulbs.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!