[ Team LiB ] Previous Section Next Section

Recipe 19.6 Optionally Blocking a Request with a Filter


You want the option to block a request with a filter.


Do not call the FilterChain object's doFilter( ) method inside of the filter. Output the response to the client inside of the filter's doFilter( ) method instead.


A filter blocks a request from getting to a web component, such as a servlet, JSP, or HTML page, by never calling FilterChain.doFilter( ) inside the filter's own doFilter( ) method.

The BlockFilter class in Example 19-8 attempts to authenticate the user based on a request parameter. If the authentication fails, the filter uses the response object to output a response to the client, and the request is effectively blocked from reaching the requested servlet. A filter can output the final response to the client, not just initiate its filtering tasks.

Example 19-8. A filter optionally blocks the request and issues a response itself
package com.jspservletcookbook;

import java.io.PrintWriter;
import java.io.IOException;

import javax.servlet.*;
import javax.servlet.http.*;

public class BlockFilter implements Filter {
    private FilterConfig config;
    /** Creates new BlockFilter */
    public BlockFilter( ) {}
    public void  init(FilterConfig filterConfig)  throws ServletException{
        this.config = filterConfig;
  public void  doFilter(ServletRequest request, ServletResponse response,
      FilterChain chain) throws IOException, ServletException {
    HttpServletRequest req = null;
    boolean authenticated = false;
    PrintWriter out = null;
    if (request instanceof HttpServletRequest){
         req = (HttpServletRequest) request;

         String user = req.getParameter("user");//get the user name

         authenticated = authenticateUser(user);//authenticate the user

    if (authenticated){
         //they are authenticated, so pass along the request


         else {
         //have the filter send back the response


         out = response.getWriter( );
             "<html><head><title>Authentication Response</title>");
         out.println("<h2>Sorry your authentication attempt failed</h2>");
    }// doFilter
    public void destroy( ){
        /*called before the Filter instance is removed 
        from service by the web container*/
    private boolean authenticateUser(String userName){
        //authenticate the user using JNDI and a database, for instance
        //return false for demonstration purposes
        return false;
    }// authenticateUser

The code authenticates the user by getting the hypothetical username as a request parameter. The name is the parameter for the filter's authenticateUser( ) method, which returns false to demonstrate the filter's response to the client. The filter uses the PrintWriter from the javax.servlet.ServletResponse object, which is a parameter to the doFilter( ) method. The PrintWriter sends HTML back to the client. Figure 19-1 shows the response output in a web browser.

Figure 19-1. The HTML page returned by a blocking filter

If you regularly use filters to send responses to a client, consider creating a JavaBean to customize the response. Store the bean class in its package beneath WEB-INF/classes, and use the bean inside the filter.

See Also

Recipe 7.9 on using a filter to read request parameter values; Recipe 11.11 on using a filter to monitor session attributes; Recipe 18.3 on using a filter to alter then forward the request; Recipe 19.1-Recipe 19.4 on mapping filters to web components; Recipe 19.5 on configuring init parameters for a filter; Recipe 19.7 on filtering the HTTP response; Recipe 19.8 on using filters with RequestDispatchers; Recipe 19.9 on using filters to check request parameters; Recipe 19.10 on using filters to disallow requests from certain IP addresses.

    [ Team LiB ] Previous Section Next Section