How to return HTTP error code from servlet filter?

Question

I have pages in my web application which are accessible only by the administrator. I wrote filter, but I don't understand how to return HTTP error code(403) from the filter if user isn't the admin.

public class AdminFilter implements Filter {
    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        String username = servletRequest.getParameter("username");
        String password = servletRequest.getParameter("password");

        UserDao userDaoImpl = new UserDaoImpl();
        if(userDaoImpl.findByUsername(username).getPassword().equals(password)) {
            filterChain.doFilter(servletRequest, servletResponse);
        } else {
            //respond with 403
        }
    }
}

I understand that I can redirect to my custom 403 page but I'm wondering how to return HTTP error code.

Answer 1

You need to cast servletResponse to HttpServletResponse first:

HttpServletResponse response = (HttpServletResponse) servletResponse;

Then use its sendError() method:

response.sendError(HttpServletResponse.SC_FORBIDDEN);

SC_FORBIDDEN stands for code 403.

By the way, you don't redirect to 403 page, you just respond with that status. If you do that, the servlet container will serve a special 403 page to the user. You can configure that page in your web.xml:

<error-page>
    <error-code>403</error-code>
    <location>/error-403.htm</location>
</error-page>

This instructs the container to serve your custom page /error-403.htm when you set 403 status.

If you want a redirect, you could use response.sendRedirect() (it issues a 302 redirect).

Answer 2

I have solved in this way:

((HttpServletResponse) response).setStatus(HttpServletResponse.SC_BAD_REQUEST);
(HttpServletResponse) response).sendError(HttpServletResponse.SC_BAD_REQUEST, "HMAC Failed - X-Authenticated-Id not available");
return;