Win a copy of Programmer's Guide to Java SE 8 Oracle Certified Associate (OCA) this week in the OCAJP forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Can I "cut" the chain in the filter?

 
Bupjae Lee
Ranch Hand
Posts: 107
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In my web application, some servlet should be accessed while logged in, and I wrote this code.



However, this idea requires to write these code on each login-only servlet, and I think it is a bad idea.

So, I want to move that code to filter like this.



If I use this code, it'll "cut" filter chain and make redirect response.

* Is this approach "safe"? container-independent?
* Is there better way to handle this problem?
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 34837
369
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bupjae,
It's ok to "cut" the filter chain. This pattern is often used for security - if the user doesn't pass the security check, the user shouldn't be allowed to go on to the servlet.
 
Angel J Gama
Ranch Hand
Posts: 36
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think your best option would be to use <security-constraint> tag in web.xml
There you can state in what url-patterns and servlets the user must have logged-in before accesing them.
And use <login-config> tag to specify the login and login-error page.
Check head first servlets & jsp book, it's explained very well in there. I think there's a tutorial at javaranch but I'm not sure.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65111
89
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That doesn't give you much control over the process. I prefer to use a filter.

Although in this case I'm not getting what the OP is trying to do. What's the point of catching the illegal state exception and trying the same thing again?
[ August 29, 2008: Message edited by: Bear Bibeault ]
 
Bupjae Lee
Ranch Hand
Posts: 107
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for reply. I applied that filter, and it works well.

For <security-constraint>, I don't want to use text-based realm,
but I don't know how to connect my user-info database and <security-constraint>.

The reason I catch IllegalStateException is that invalided session throws that exception when I tried to call getAttribute.

[Edit: I modified some typo]
[ August 30, 2008: Message edited by: Bupjae Lee ]
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65111
89
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Then your code is structured poorly with needless repetition. Consider how you could restructure the code to not have to repeat the redirect in more than one place.
 
Bupjae Lee
Ranch Hand
Posts: 107
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I first thought that request.getSession(false) could return already invalid session object.

However, I reread API and found this sentence: "If create is false and the request has no valid HttpSession, this method returns null."

So, I could get rid of needless code. Thanks for pointing my mistake.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic