tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard Troy <>
Subject RE: blocking access using filter (fwd)
Date Thu, 15 Nov 2001 20:00:51 GMT
Date: Thu, 18 Oct 2001 11:58:34 +0200
From: Taavi Tiirik <>
Subject: RE: blocking access using filter

Thanks, Craig!

> > 1. If user is not logged in or if the session has
> > timed out then it should open login page and after
> > successful login it should try to access the very
> > same request (ie. the same document).

> I don't quite see why you need to modify the standard
> form-based login mechanisms, either.  Can't you just use
> the standard form based login for triggering authentication?

No, I did not want to modify standard login mechanism by
any means :-). I simply had this (wrong) impression that
filters get called before checking security constraints.
How stupid of me :-). Creating security constraint like
you suggested covered the first step and now I have this
filter purring like a kitten.

Just in case anybody is interested... this is what I did.
doFilter looks like this:

public void doFilter (
	ServletRequest request,
	ServletResponse response,
	FilterChain chain
throws IOException, ServletException
	HttpServletRequest httpRequest = null;
	HttpServletResponse httpResponse = null;

	if( request instanceof HttpServletRequest )
		httpRequest = (HttpServletRequest)request;

	if( response instanceof HttpServletResponse )
		httpResponse = (HttpServletResponse)response;

	boolean authorized = false;
	String user = httpRequest.getRemoteUser();

	// Is this really necessary? Could it be that requests
	// other than HttpServletRequest are passed to
	// this filter? Can they be harmful by any means?
	// Or should I let them through?
	if( httpRequest == null || httpResponse == null || user == null
		httpResponse.sendError( HttpServletResponse.SC_NOT_FOUND

	try {
		// At this point we have user name in 'user' and request
		// in 'requestURI'. Make sure that this user has rights
		// get this document and set authorized to true, if
(s)he has.

		authorized = ...

	} catch( Exception e ){

	if( !authorized ){
		httpResponse.sendError( HttpServletResponse.SC_NOT_FOUND

	// Pass control on to the next filter
	chain.doFilter( request, response );

with best wishes,

To unsubscribe:   <>
For additional commands: <>
Troubles with the list: <>

View raw message