Solved

j2ee filters

Posted on 2003-11-03
29
858 Views
Last Modified: 2010-04-01
Hi all,

I have a filter that checks if a user is logged in to the system. I am checking for a flag in the session. I tested on individual pages and it works.

My question has to do with the url pattern:

<filter-mapping>
    <filter-name>AccessFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

The above says that the filter should filter everything. What would the url pattern be if I want the filter to EXCLUDE welcome.jsp, index.htm.

Thanks.
Al
0
Comment
Question by:asprin_nyc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 6
  • 5
  • +1
29 Comments
 
LVL 35

Expert Comment

by:TimYates
ID: 9671362
Check in the filter if it is welcome.jsp or index.htm that it's being called with...if so, just chain to the next one...
0
 
LVL 27

Expert Comment

by:rrz
ID: 9671619
I don't think you can exclude anything in the filter.  
You could use  
String referer = request.getHeader("Referer");
and test if referer is not  welcome page.
0
 

Author Comment

by:asprin_nyc
ID: 9671636
Tim,

Right now I only have one filter. it is doing something like

            if(!req.getRequestURI().equals("/welcome.jsp"))
            {
                if(flag == null)
                {
                    res.sendRedirect("/welcome.jsp");
                }
                else
                {
                    res.sendRedirect(req.getRequestURI());
                }
            }
            else //xxx
            {
                res.sendRedirect("/welcome.jsp");
            }

so what will happend is that it will go into an infinite loop. If i leave out the xxx else block it only shows a blank page, if i do that it will go into an infinite loop. how should i proceed?

thx
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 35

Expert Comment

by:TimYates
ID: 9671722
           if(!req.getRequestURI().equals("/welcome.jsp"))
            {
                if(flag == null)
                {
                    res.sendRedirect("/welcome.jsp");
                }
                else
                {
                   chain.doFilter( request, response ) ;
                }
            }
            else //xxx
                chain.doFilter( request, response ) ;
0
 
LVL 35

Expert Comment

by:TimYates
ID: 9671730
Assuming that's inside doFilter;

public void doFilter( final ServletRequest request, final ServletResponse response, FilterChain chain )
0
 
LVL 27

Expert Comment

by:rrz
ID: 9671739
I think Tim and I are suggesting the same thing. Something like the following.  

public void doFilter(ServletRequest request,ServletResponse response,FilterChain chain)
                   throws ServletException, IOException {
       HttpServletRequest req =  (HttpServletRequest)request;
       String referer = req.getHeader("Referer");
       if(!referer.equals("welcome.jsp") && !referer.equals("index.jsp")){
                // do your filtering here
       }else{chain.doFilter(req,response);}
}
0
 
LVL 35

Expert Comment

by:TimYates
ID: 9671750
> I think Tim and I are suggesting the same thing

Yup :-)
0
 
LVL 27

Expert Comment

by:rrz
ID: 9671793
I guess Tim has the better method (using getRequestURI()).
But you will have to cast type as I posted.
0
 

Author Comment

by:asprin_nyc
ID: 9672144
Tim,

I did as suggested but when you do chain.doFilter, the filter is getting called several times. welcome.jsp has the username/password boxes and those get passed to a servlet to do the login which will set the flag in the session. chain.doFilter is calling the filter several times, as a result the parameters are no longer there,

thx
0
 
LVL 27

Expert Comment

by:rrz
ID: 9672834
Please try this  
public void doFilter(ServletRequest request,ServletResponse response,FilterChain chain)
                   throws ServletException, IOException {
       HttpServletRequest req =  (HttpServletRequest)request;
       String referer = req.getHeader("Referer");
       String uri = req.getRequestURI();
       if(!referer.equals("welcome.jsp") || !uri.equals("/welcome.jsp")){
              if(flag == null)
                             {
                              response.sendRedirect("/welcome.jsp");
                             }
                else
                    {
                      chain.doFilter( request, response ) ;
                    }    
       }else{chain.doFilter(req,response);}
}

But maybe you should look at what kennethxu suggests.  
http://www.experts-exchange.com/Web/Web_Languages/JSP/Q_20397409.html
0
 
LVL 27

Expert Comment

by:rrz
ID: 9672898
I forgot to cast response.
 
public void doFilter(ServletRequest request,ServletResponse response,FilterChain chain)
                   throws ServletException, IOException {
       HttpServletRequest req =  (HttpServletRequest)request;
       HttpServletResponse resp = (HttpServletResponse)response;
       String referer = req.getHeader("Referer");
       String uri = req.getRequestURI();
       if(!referer.equals("welcome.jsp") || !uri.equals("/welcome.jsp")){
              if(flag == null)
                             {
                              resp.sendRedirect("/welcome.jsp");
                             }
                else
                    {
                      chain.doFilter( request, response ) ;
                    }    
       }else{chain.doFilter(req,resp);}
}

But maybe you should look at what kennethxu suggests.  
http://www.experts-exchange.com/Web/Web_Languages/JSP/Q_20397409.html
0
 
LVL 14

Expert Comment

by:kennethxu
ID: 9673048
try out this:
           if(!req.getServletPath().startsWith("/welcome.jsp"))
            {
                if(flag == null)
                {
                    res.sendRedirect( res.encodeRedirectURL( req.getContextPath() + "/welcome.jsp") );
                }
                else
                {
                   chain.doFilter( request, response ) ;
                }
            }
            else //xxx
                chain.doFilter( request, response ) ;
0
 
LVL 27

Expert Comment

by:rrz
ID: 9673206
One more try, with Tim's and kenneth's suggestions.
 
public void doFilter(ServletRequest request,ServletResponse response,FilterChain chain)
                   throws ServletException, IOException {
       HttpServletRequest req =  (HttpServletRequest)request;
       HttpServletResponse resp = (HttpServletResponse)response;
       String referer = req.getHeader("Referer");
       String uri = req.getRequestURI();
       StringBuffer url = req.getRequestURL();
       String contextURL = url.substring(0,url.lastIndexOf(req.getServletPath()));
       if(!referer.equals(contextURL + "/welcome.jsp") || !uri.equals("/welcome.jsp")){
              if(flag == null)
                             {
                              resp.sendRedirect( res.encodeRedirectURL( req.getContextPath()
                                                                        + "/welcome.jsp");
                             }
                else
                    {
                      chain.doFilter( request, response ) ;
                    }    
       }else{chain.doFilter(req,resp);}
}
0
 
LVL 14

Expert Comment

by:kennethxu
ID: 9673732
rrz, I could be wrong  but here are my 2 cents:
the referer in http header is full url including protocol, servername. it can never equals to contextURL + "/welcome.jsp".
and when you use refer, you meant any page that is linked (refered) from welcome.jsp can bypass the security check. further, I can create a welcome.jsp page in my server and embed links to asprin_nyc's server, so I can bypass the security check.
I think the referer header is added by client browser and should never be trusted, especially for security purpose.
0
 

Author Comment

by:asprin_nyc
ID: 9673757
kenneth,

thx for the input I will try your suggestion in a few.
Will let you all know the outcome.

thx.
Al
0
 
LVL 27

Expert Comment

by:rrz
ID: 9674587
Thanks kenneth, maybe that is a dumb idea.    

> the filter is getting called several times. welcome.jsp has the username/password boxes and those get passed to a servlet to do the login which will set the flag in the session.      
So, we will have to exclude the login servlet as well.  

public void doFilter(ServletRequest request,ServletResponse response,FilterChain chain)
                   throws ServletException, IOException {
       HttpServletRequest req =  (HttpServletRequest)request;
       HttpServletResponse resp = (HttpServletResponse)response;
       if(!req.getServletPath().startsWith("/welcome.jsp")
          || !req.getServletPath().startsWith("/LoginServlet")){
              if(flag == null){
                              resp.sendRedirect( resp.encodeRedirectURL( req.getContextPath()
                                                                        + "/welcome.jsp");
              }
                else
                    {
                      chain.doFilter( req, resp ) ;
                    }    
       }else{chain.doFilter(req,resp);}
}
0
 
LVL 27

Expert Comment

by:rrz
ID: 9674630
Of course you could move login and flag setting into your filter and forget about the servlet.
0
 
LVL 27

Expert Comment

by:rrz
ID: 9674813
or let your filter call a login bean.
0
 
LVL 27

Expert Comment

by:rrz
ID: 9675102
One more idea.   You could use  

<filter-mapping>
    <filter-name>AccessFilter</filter-name>
    <url-pattern>filters/secure/*</url-pattern>
  </filter-mapping>  

then you could put your LoginServlet and welcome index page inside the filters folder.
0
 
LVL 27

Expert Comment

by:rrz
ID: 9675115
oops that should be  
  <url-pattern>/filters/secure/*</url-pattern>
0
 
LVL 14

Expert Comment

by:kennethxu
ID: 9675497
>> So, we will have to exclude the login servlet as well
Good catch!
0
 
LVL 27

Expert Comment

by:rrz
ID: 9675591
thanks kenneth, but I really think my last post is the solution.    
0
 

Author Comment

by:asprin_nyc
ID: 9731669
rrz & kenneth,

I apologize for the delay. I was out for a few days.
In any case I tried your suggestion but when

resp.sendRedirect( resp.encodeRedirectURL( req.getContextPath()
                                                                        + "/welcome.jsp");

executes it brings me back to the same filter. Which means infinite loop.

rrz, I am trying to avoid to move things to a different folder.

thx.
Al
0
 
LVL 27

Expert Comment

by:rrz
ID: 9732005
Please show us your filter code.
0
 

Author Comment

by:asprin_nyc
ID: 9732604
rrz,


public void doFilter(ServletRequest request,ServletResponse response,
                     FilterChain chain)
            throws java.io.IOException, ServletException
    {
        HttpServletResponse res = (HttpServletResponse)response;
        HttpServletRequest req = (HttpServletRequest)request;

        String flag = null;
        HttpSession session = req.getSession();

        if(session.getAttribute(ApplicationConstants.FLAG)!=null)
        {
            flag = (String)session.getAttribute(ApplicationConstants.FLAG);
        }

        if(!req.getServletPath().startsWith("/welcome.jsp")
           || !req.getServletPath().startsWith("/login.action"))
        {
            if(flag == null)
            {
                res.sendRedirect( res.encodeRedirectURL( req.getContextPath() +
                        "/welcome.jsp"));
            }
            else
            {
                chain.doFilter( req, res ) ;
            }
        }
        else
        {
            chain.doFilter(req,res);
        }
}

thx.
Al
0
 
LVL 27

Expert Comment

by:rrz
ID: 9732796
>("/login.action")  
Does that map to your servlet?  
Did you  try  ?
 !req.getServletPath().startsWith("/login"))  
Maybe you should show us your servlet and servlet mapping elements in your web.xml.
0
 
LVL 14

Expert Comment

by:kennethxu
ID: 9732864
it is because you didn't set the flag.
try out below and make sure
1. you set flag in login.action
2. there is not image/css/js file links in the welcome.jsp page because those links will invoke this filter too!

public void doFilter(ServletRequest request,ServletResponse response,
                     FilterChain chain)
            throws java.io.IOException, ServletException
    {
        HttpServletResponse res = (HttpServletResponse)response;
        HttpServletRequest req = (HttpServletRequest)request;

        String flag = null;
        HttpSession session = req.getSession();

        if(session.getAttribute(ApplicationConstants.FLAG)!=null)
        {
            flag = (String)session.getAttribute(ApplicationConstants.FLAG);
        }

        if(!req.getServletPath().startsWith("/welcome.jsp")
           || !req.getServletPath().startsWith("/login.action"))
        {
            if(flag == null)
            {
                res.sendRedirect( res.encodeRedirectURL( req.getContextPath() +
                        "/welcome.jsp"));
            }
            else
            {
                chain.doFilter( req, res ) ;
            }
        }
        else
        {
            res.sendRedirect( res.encodeRedirectURL( req.getContextPath() +
                        "/login.action"));
        }
}
0
 
LVL 14

Accepted Solution

by:
kennethxu earned 50 total points
ID: 9732925
sorry, forget about my previously posted code. use this code:

public void doFilter(ServletRequest request,ServletResponse response, FilterChain chain)
      throws java.io.IOException, ServletException
{
        HttpServletResponse res = (HttpServletResponse)response;
        HttpServletRequest req = (HttpServletRequest)request;

        HttpSession session = req.getSession();
      String flag = (String)session.getAttribute(ApplicationConstants.FLAG);

        if(flag != null || req.getServletPath().startsWith("/welcome.jsp") || req.getServletPath().startsWith("/login.action") )
        {
          chain.doFilter( req, res ) ;
        }
        else
        {
          res.sendRedirect( res.encodeRedirectURL( req.getContextPath() + "/welcome.jsp" ) );

        }
}
0
 

Author Comment

by:asprin_nyc
ID: 9733637
All,

I just changed

if( !req.getServletPath().startsWith("/welcome.jsp")
           && !req.getServletPath().startsWith("/login.action"))

it should be &&

thx.
Al
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Jquery - parsing the results returned from webmethod 1 128
EJB MDB example 4 93
how to exclude a file using regex 5 123
best way to search/remove a file from an EAR file 3 119
When the s#!t hits the fan, you don’t have time to look up who’s on call, draft emails, call collaborators, or send text messages. An instant chat window is definitely the way to go, especially one like HipChat. HipChat is a true business app. An…
Containers like Docker and Rocket are getting more popular every day. In my conversations with customers, they consistently ask what containers are and how they can use them in their environment. If you’re as curious as most people, read on. . .
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question