On p.652 of Charles Lyon's book:
A web application needs to use programmatic security to protect some of its resources. Which of these patterns would best achieve this goal?
a. front controller
b. intercepting filter
c. MVC
d. business delegate
Answer: A, B
A controller can be used to protect one or two resources and is good for programmatic authentication purpose while a filter is the most scalable solution to implement programmatic authorization. C is incorrect,
we don't necessarily have any need for a view here. D is incorrect, as we aren't using EJB.
Must a controller be used for authentication while a filter is used for authorization ?
Can we use a filter for authentication and a controller for authorization? My reason is : when a request is sent, the filter first authenticates the user. After the authentication is done, the controller authorizes the user and dispatch the right resources to the user.
Is this approach possible?