On Fri, Jun 26, 2015 at 11:09 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Leo,
>
> >
> > If I use a return statement to break out of a filter, what should
> > happen? Will the next filter run?
>
> No. The Filter is responsible for calling the next filter in the
> chain. If you don't, the target servlet will never be called.
>
> > Shouldn't a return statement in a filter, especially one that
> > comes right after a sendError call, send the error and direct the
> > user to the page configured for such errors?
>
> Yes.
>
> > The scenario I'm working on is a web service. The web service has
> > three filters, in order they are: throttle filter, authentication
> > filter, logging filter.
> >
> > If a user is not authenticated, the following code "should" break
> > out of the filter chain and redirect the user to a custom 403. It
> > works nice on Tomcat.
> >
> > HttpServletResponse httpResponse = (HttpServletResponse) response;
> >
> > httpResponse.sendError(HttpServletResponse.HttpServletResponse.SC_FORB
> IDDEN);
> >
> >
> return;
> >
> > What I'm seeing on other containers is that I get a NPE where the
> > Service class is trying to do something with the authenticated
> > user, which is null. I realize this is not an "other containers"
> > forum, but I was just curious what the expected behaviour *should*
> > be.
>
> If you have other stuff going on -- like custom error pages -- you
> might find that more of your own code is running than you expect. See
> Konstantin's response. It's terse, but I think he's likely getting to
> the root of your problem.
>
> - -chris
>
Gentlemen,
Thank you for the assistance.
I still don't know what was causing my issue on said other container with
respect to sendError and custom error-page elements, but...
This works fine and was really what I was after, a simple custom 403
message, no html:
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException
{
boolean iAmNotAuthorized = true;
if (iAmNotAuthorized)
{
// generate the HTTP Servlet Response for a 403 status code
HttpServletResponse httpResponse = (HttpServletResponse)
response;
//httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
httpResponse.setStatus(HttpServletResponse.SC_FORBIDDEN);
httpResponse.setHeader("WWW-Authenticate", "Basic");
httpResponse.getOutputStream().print("blah, blah, blah");
// return from the doFilter method
return;
}
chain.doFilter(request, response);
}
leo
