Re: Filter behaviour

Konstantin Kolinko Sat, 27 Jun 2015 06:37:37 -0700

>>
>> > The scenario I'm working on is a web service.  The web service has
>> > three filters, in order they are:  throttle filter, authentication
>> > filter, logging filter.
>> >
>> > If a user is not authenticated, the following code "should" break
>> > out of the filter chain and redirect the user to a custom 403.  It
>> > works nice on Tomcat.
>> >
>> > HttpServletResponse httpResponse = (HttpServletResponse) response;
>> >
>> > httpResponse.sendError(HttpServletResponse.HttpServletResponse.SC_FORB
>> IDDEN);
>> >
>> >
>> return;
>> >
>> > What I'm seeing on other containers is that I get a NPE where the
>> > Service class is trying to do something with the authenticated
>> > user, which is null. I realize this is not an "other containers"
>> > forum, but I was just curious what the expected behaviour *should*
>> > be.
>>
>> If you have other stuff going on -- like custom error pages -- you
>> might find that more of your own code is running than you expect. See
>> Konstantin's response. It's terse, but I think he's likely getting to
>> the root of your problem.
>>
>> - -chris
>>
>
> Gentlemen,
>
> Thank you for the assistance.
>
> I still don't know what was causing my issue on said other container with
> respect to sendError and custom error-page elements, but...
>
> This works fine and was really what I was after, a simple custom 403
> message, no html:
>
>     public void doFilter(ServletRequest request, ServletResponse response,
> FilterChain chain) throws IOException, ServletException
>     {
>         boolean iAmNotAuthorized = true;
>
>         if (iAmNotAuthorized)
>         {
>             // generate the HTTP Servlet Response for a 403 status code
>             HttpServletResponse httpResponse = (HttpServletResponse)
> response;
>             //httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
>             httpResponse.setStatus(HttpServletResponse.SC_FORBIDDEN);
>             httpResponse.setHeader("WWW-Authenticate", "Basic");


"WWW-Authenticate" header is usually used with 401 response.

It is unusual to use it with 403 one, though the spec does not forbid
it. (I am not sure how browsers react here, though)

http://tools.ietf.org/html/rfc7235#section-4.1

>             httpResponse.getOutputStream().print("blah, blah, blah");
>
>             // return from the doFilter method
>             return;
>         }
>
>         chain.doFilter(request, response);
>
>     }
>

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Filter behaviour

Reply via email to