Win a copy of Micro Frontends in Action this week in the Server-Side JavaScript and NodeJS forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Bear Bibeault
  • Junilu Lacar
Sheriffs:
  • Jeanne Boyarsky
  • Tim Cooke
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • salvin francis
  • Frits Walraven
Bartenders:
  • Scott Selikoff
  • Piet Souris
  • Carey Brown

Can I "cut" the chain in the filter?

 
Ranch Hand
Posts: 107
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In my web application, some servlet should be accessed while logged in, and I wrote this code.



However, this idea requires to write these code on each login-only servlet, and I think it is a bad idea.

So, I want to move that code to filter like this.



If I use this code, it'll "cut" filter chain and make redirect response.

* Is this approach "safe"? container-independent?
* Is there better way to handle this problem?
 
author & internet detective
Posts: 40213
816
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bupjae,
It's ok to "cut" the filter chain. This pattern is often used for security - if the user doesn't pass the security check, the user shouldn't be allowed to go on to the servlet.
 
Ranch Hand
Posts: 36
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think your best option would be to use <security-constraint> tag in web.xml
There you can state in what url-patterns and servlets the user must have logged-in before accesing them.
And use <login-config> tag to specify the login and login-error page.
Check head first servlets & jsp book, it's explained very well in there. I think there's a tutorial at javaranch but I'm not sure.
 
Marshal
Posts: 67451
173
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That doesn't give you much control over the process. I prefer to use a filter.

Although in this case I'm not getting what the OP is trying to do. What's the point of catching the illegal state exception and trying the same thing again?
[ August 29, 2008: Message edited by: Bear Bibeault ]
 
Bupjae Lee
Ranch Hand
Posts: 107
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for reply. I applied that filter, and it works well.

For <security-constraint>, I don't want to use text-based realm,
but I don't know how to connect my user-info database and <security-constraint>.

The reason I catch IllegalStateException is that invalided session throws that exception when I tried to call getAttribute.

[Edit: I modified some typo]
[ August 30, 2008: Message edited by: Bupjae Lee ]
 
Bear Bibeault
Marshal
Posts: 67451
173
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Then your code is structured poorly with needless repetition. Consider how you could restructure the code to not have to repeat the redirect in more than one place.
 
Bupjae Lee
Ranch Hand
Posts: 107
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I first thought that request.getSession(false) could return already invalid session object.

However, I reread API and found this sentence: "If create is false and the request has no valid HttpSession, this method returns null."

So, I could get rid of needless code. Thanks for pointing my mistake.
 
Evil is afoot. But this tiny ad is just an ad:
Thread Boost feature
https://coderanch.com/t/674455/Thread-Boost-feature
reply
    Bookmark Topic Watch Topic
  • New Topic