Need help to understand a servlet filter example

Hi everyone. I am trying to understand how servlet filters work by using the "tutorial" given at this blog

Project-


I won't paste the full code, but I will only focus on the main logic of the code in the project. I have posted the web.xml though.

web.xml-
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0"> <display-name>ServletFilterExample</display-name> <welcome-file-list> <welcome-file>login.html</welcome-file> </welcome-file-list> <filter> <filter-name>RequestLoggingFilter</filter-name> <filter-class>com.journaldev.servlet.filters.RequestLoggingFilter</filter-class> </filter> <filter> <filter-name>AuthenticationFilter</filter-name> <filter-class>com.journaldev.servlet.filters.AuthenticationFilter</filter-class> </filter> <filter-mapping> <filter-name>RequestLoggingFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping> <filter-mapping> <filter-name>AuthenticationFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> </web-app>

1) login.html - You will be asked to enter user and password here. Only user = user, password = pass is correct. This page directs you to LoginServlet.
2) LoginServlet.java - If your user and pass is correct, then a cookie for user= "user", is set for 30 minutes and you are directed to LoginSuccess.jsp.
Otherwise, you are directed to the login.html of (1).
3) LoginSuccess.jsp - If username of cookie set by LoginServlet not null, that is user is NOT active, then direct to login.html of (1). Alternately, let the user
click logout button and go to the LogoutServlet.java.
4) LogoutServlet.java - If the user in cookie is "user", then "kill" the cookie and send the user back to login.html of (1)

Now, when I run this code and I enter the right user/password, I am redirected to the login.html page. This happens because of the logic inside AuthenticationFilter.
I was expecting to go to the LoginSuccess servlet instead. Why would someone want to have this seemingly counter intuitive logic ?
Also, when I remove the mappings for the filters (below) from web.xml, the code works as expected.

<filter-mapping> <filter-name>RequestLoggingFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping> <filter-mapping> <filter-name>AuthenticationFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>

A secure JEE web application should always check incoming requests to see if they require authorization. This is, in fact, one of the biggest failures of most Do-it-Yourself security systems. They have loopholes in their checking mechanisms.

If an incoming request requires an authorized user, the security manager (servlet filter in this case) should check to see if the user making the request has been authenticated (logged in). If, not, the request should be aborted and the response should be a login page.

A login page request checks the user credentials, and if and only if the credentials check out, the user's session should be marked as "authenticated". What happens next is up to you. In JEE's built-in authentication system, the original request is pulled back in from a place where it was sidelined and allowed to proceed. In a lot of DIY systems, the the login code forwards you to a "home" page.

Thanks Tim. My Auth filter is not working correctly. I changed the uri checker in Auth Filter to look for /ServletFilterExample/LoginServlet instead of just LoginServlet. Now, my log files indicate that the LoginServlet is accessible. But, LoginSuccess.jsp is not because of the auth filter. I could add the LoginSuccess.jsp to the list of thing ignored by auth filter to get around this. But, that would defeat the purpose behind filters. How
do I make the code work ?

You shouldn't have to add any JSPs to the list of things ignored by that filter, because you should not be requesting any JSPs from the browser in the first place. (Note that your filter mapping only refers to requests, not forwards.) The requests should always go to a servlet, which does its work and then forwards to a JSP. Allowing the user to request that JSP directly would be a bad thing because the servlet would not have done the work to set up data for the JSP.

It's very common to keep all JSPs in the WEB-INF folder, so it's impossible for the user to request them. The servlets would then forward to the JSP in that location.

I agree with Tim, /however to solve your problem can you paste <filter-name>, <servlet-name> mapping. It seems it is missing in the deployment descriptor which you pasted.

Kesava Krishna wrote:I agree with Tim, /however to solve your problem can you paste <filter-name>, <servlet-name> mapping. It seems it is missing in the deployment descriptor which you pasted.

I gave the full DD. If you need the other parts of the code, you can refer to the link in my question. I don't want to paste a huge amount of code here.