Friday, September 21, 2007

Java Filters and Struts

As Java developers we all know that filters are very useful in development. If you look at Struts2 you may have noticed that it uses filters extensively. In fact unlike controller servlet (ActionServlet) in struts.1x Struts2 uses Servlet Filter.

Recently I had to use a filter in an application based on Struts1.x and Spring to restrict access to some jsps if user tries to access them directly by typing in Resourcepath/xxx.jsp. I would like to share how I did it, if you ever need to do that.
Lets assume you have bunch of jsps in a folder called "restrict" and you want to restrict access to those jsps if user tries to get them by typing in path and jspname.jsp in address bar in a browser. To do that

1. Add a filter declaration in your web.xml as follows
< filter>
< filter-name>restrictAccessFilter < /filter-name>
< filter-class>com.srini.test.web.filter.RestrictAccessFilter </filter-class>


2. Next add following to create mapping in web.xml
< filter-mapping>
< filter-name>restrictAccessFilter < /filter-name>
< url-pattern>/restrict/* < /url-pattern>
< /filter-mapping>



3. Final step is actually creating a filter

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.log4j.Logger;

public class RestrictAccessFilter implements Filter {

private Logger log = Logger.getLogger(this.getClass());


public void init(FilterConfig filterConfig) throws ServletException {
log.info("RestrictAccessFilter .init(): " + filterConfig.getFilterName());
}

public void doFilter(ServletRequest req, ServletResponse res,
FilterChain filterChain) throws IOException, ServletException {
if (log.isDebugEnabled()) {
log.debug("RestrictAccessFilter .doFilter():");
}

if (req instanceof HttpServletRequest) {
HttpServletResponse response = (HttpServletResponse)res;
response.sendError(HttpServletResponse.SC_FORBIDDEN);
return;
}

filterChain.doFilter(req,res);

}

public void destroy() {
}
}

You can have various constants instead of SC_FORBIDDEN, take a look here http://java.sun.com/j2ee/sdk_1.2.1/techdocs/api/javax/servlet/http/HttpServletResponse.html

You are done. If someone tries to access /restrict/secret.jsp filter intercepts the request and sends HTTP 403.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)