I have pages in my web application which are accessible only by the administrator. I wrote filter, but I don't understand how to return HTTP error code(403) from the filter if user isn't the admin.
public class AdminFilter implements Filter {
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
String username = servletRequest.getParameter("username");
String password = servletRequest.getParameter("password");
UserDao userDaoImpl = new UserDaoImpl();
if(userDaoImpl.findByUsername(username).getPassword().equals(password)) {
filterChain.doFilter(servletRequest, servletResponse);
} else {
//respond with 403
}
}
}
I understand that I can redirect to my custom 403 page but I'm wondering how to return HTTP error code.
Servlet Filters are pluggable java components that we can use to intercept and process requests before they are sent to servlets and response after servlet code is finished and before container sends the response back to the client.
Servlets are normal java classes and thus are NOT Thread Safe.
The filter API is defined by the Filter , FilterChain , and FilterConfig interfaces in the javax. servlet package. You define a filter by implementing the Filter interface. A filter chain, passed to a filter by the container, provides a mechanism for invoking a series of filters.
To set a different HTTP status code from your Servlet, call the following method on the HttpServletResponse object passed in to your server: res. setStatus(nnn); where nnn is a valid HTTP status code.
You need to cast servletResponse
to HttpServletResponse
first:
HttpServletResponse response = (HttpServletResponse) servletResponse;
Then use its sendError()
method:
response.sendError(HttpServletResponse.SC_FORBIDDEN);
SC_FORBIDDEN
stands for code 403.
By the way, you don't redirect to 403 page, you just respond with that status. If you do that, the servlet container will serve a special 403 page to the user. You can configure that page in your web.xml
:
<error-page>
<error-code>403</error-code>
<location>/error-403.htm</location>
</error-page>
This instructs the container to serve your custom page /error-403.htm
when you set 403 status.
If you want a redirect, you could use response.sendRedirect()
(it issues a 302 redirect).
I have solved in this way:
((HttpServletResponse) response).setStatus(HttpServletResponse.SC_BAD_REQUEST);
(HttpServletResponse) response).sendError(HttpServletResponse.SC_BAD_REQUEST, "HMAC Failed - X-Authenticated-Id not available");
return;
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With