CODEWITHSUNDEEP
javasessionservletsservlet-filters
Parvesh
Parvesh

Reputation: 439

java session filters

On my web application, i have 3 main sections 1. customer 2. supplier 3. administrator

I am using java session filter to check for user session and allow access to specific part of the website. hence customer have access to only the customer section, supplier have access to supplier section and administrator have access to admin section.

The session filter for customer is already implemented and it works fine. it checks for customer authentication and gives access to the customer subfolder, whereby i have a few jsp.

if i wanted filters to check for supplier and admin section auth and allow them access based upon their user level.

do i need to create 2 more filters - admin and supplier?

currently here is my implementation for customer:

public class SessionFilter implements Filter {



      private FilterConfig config;

      /** Creates new SessionFilter */
      public SessionFilter() {
      }

      public void init(FilterConfig filterConfig) throws ServletException {

        System.out.println("Instance created of " + getClass().getName());
        this.config = filterConfig;
      }

      public void doFilter(ServletRequest request, ServletResponse response,
          FilterChain chain) throws java.io.IOException, ServletException {

        HttpSession session = ((HttpServletRequest) request).getSession();
        ServletContext context = config.getServletContext();
        /*
         * use the ServletContext.log method to log filter messages
         */
        context.log("doFilter called in: " + config.getFilterName() + " on "
            + (new java.util.Date()));

        // log the session ID
        context.log("session ID: " + session.getId());

        // Find out whether the logged-in session attribute is set
       Object u= session.getAttribute("users");
        if (u != null){
          chain.doFilter(request, response);
        }
        else{
            //request.getRequestDispatcher("../index.jsp").forward(request, response);
            ((HttpServletResponse) response).sendRedirect(((HttpServletResponse) response).encodeRedirectURL("../index.jsp?error=userpriv"));
        }


      }


      public void destroy() {

      }
    }

Here is my web.xml

<filter>
    <filter-name>SessionFilter</filter-name>
    <filter-class>controller.SessionFilter</filter-class>
    <init-param>
        <param-name>avoid-urls</param-name>
        <param-value>index.jsp</param-value> 
    </init-param>
</filter>
<filter-mapping>
    <filter-name>SessionFilter</filter-name>
    <url-pattern>/users/*</url-pattern>
</filter-mapping>

Upvotes: 2

Views: 7021

Answers (2)

Ramesh PVK
Ramesh PVK

Reputation: 15446

Why don't you use Servlet Authentication. You just have to define roles and map to the urls using <security-constraint> tag.

Here is the sample which shows how to define:

Security Constraint For Customers

<security-constraint> 
   <web-resource-collection>
         <web-resource-name>User Restriction</web-resource-name>
         <url-pattern>/customers/*</url-pattern>
   </web-resource-collection>

   <auth-constraint>
       <role-name>customer</role-name>
    </auth-constraint>
</security-constraint>

Security Constraint For Suppliers

<security-constraint> 
   <web-resource-collection>
         <web-resource-name>User Restriction</web-resource-name>
         <url-pattern>/suppliers/*</url-pattern>
   </web-resource-collection>

   <auth-constraint>
       <role-name>supplier</role-name>
    </auth-constraint>
</security-constraint>

Security Constraint For Admin

<security-constraint> 
   <web-resource-collection>
         <web-resource-name>User Restriction</web-resource-name>
         <url-pattern>/admin/*</url-pattern>
   </web-resource-collection>

   <auth-constraint>   
       <role-name>administrator</role-name>
    </auth-constraint>
</security-constraint>

Upvotes: 3

Oscar Castiblanco
Oscar Castiblanco

Reputation: 1646

I am sure you can find the way to implement everything in the same filter, but if you want to follow the "Single responsibility principle" it is better to have one class per role. Maybe in the future you will have to do specific handling for each user, so it will be better to have specialized filters.

In case you really need to have only one filter, you can follow this thread:

Writing an authorization filter for my web app(JSF 2.0)

Upvotes: 0

Related Questions