Login filter java servlet -
i have simple implementation of login filter.
public class loginfilter implements filter { @override public void init(filterconfig filterconfig) throws servletexception {} @override public void dofilter(servletrequest req, servletresponse res, filterchain chain) throws ioexception, servletexception { httpservletrequest request = (httpservletrequest) req; httpservletresponse response = (httpservletresponse) res; httpsession session = request.getsession(false); if (session == null || session.getattribute("loggedinuser") == null) { response.sendredirect(request.getcontextpath() + "/login.jsp"); } else { chain.dofilter(request, response); } } @override public void destroy() {} } when go registered page(i.e. /account?id=1) without session attribute loggedinuser, filter works fine. redirects me login page. if go non-exists page (i.e. /blablabla.html), filter redirects me login page again. there method 404 error on entering non-exists pages , redirect /login on exists?
the bug in requirement: filter requests deny access guests still want request processed if it's 404. conceptually wrong: 404 still applicative response in sense gives user view of internals of system - user must authorized before knowing or not there.
another option splitting app in public , private zone:
/public/style.css/public/app.js- ...
/private/customer/123/private/oder/8932- ...
and filter requests in private zone.
note: if concerned beauty of url consider /private/ prefix not requirement. filter can attached in such way prefix can omitted
Comments
Post a Comment