Developing servlet filters for form login processing
You can control the look and feel of the login screen using the form-based login mechanism. In form-based login, you specify a login page that is used to retrieve the user ID and password information. You also can specify an error page that displays when authentication fails.
About this task
If additional authentication or additional processing is required before and after authentication, servlet filters are an option. Servlet filters can dynamically intercept requests and responses to transform or to use the information that is contained in the requests or responses. One or more servlet filters can be attached to a servlet or to a group of servlets. Servlet filters also can attach to JavaServer Pages (JSP) files and HTML pages. All of the attached servlet filters are called before the servlet is invoked.
Both form-based login and servlet filters are supported by any servlet Version 2.3 specification-complaint web container. The form login servlet performs the authentication and servlet filters perform additional authentication, auditing, or logging information.
To perform pre-login and post-login actions using servlet filters, configure these filters for either form login page support or for the /j_security_check URL. The j_security_check is posted by a form login page with the j_username parameter that contains the user name and the j_password parameter that contains the password. A servlet filter can use the user name parameter and password information to perform more authentication or other special needs.
Procedure
Example
This login filter can map to the /j_security_check URL to perform pre-login and post-login actions.
import javax.servlet.*;
public class LoginFilter implements Filter {
protected FilterConfig filterConfig;
// Called once when this filter is instantiated.
// If mapped to j_security_check, called
// very first time j_security_check is invoked.
public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
}
public void destroy() {
this.filterConfig = null;
}
// Called for every request that is mapped to this filter.
// If mapped to j_security_check,
// called for every j_security_check action
public void doFilter(ServletRequest request,
ServletResponse response, FilterChain chain)
throws java.io.IOException, ServletException {
// perform pre-login action here
chain.doFilter(request, response);
// calls the next filter in chain.
// j_security_check if this filter is
// mapped to j_security_check.
// perform post-login action here.
}
}
Using servlet filters to perform pre-login
and post-login processing during form loginThis example illustrates one way that the servlet filters can perform pre-login and post-login processing during form login.
Servlet filter source code: LoginFilter.java
/**
* A servlet filter example: This example filters j_security_check and
* performs pre-login action to determine if the user trying to log in
* is in the revoked list. If the user is on the revoked list, an error is
* sent back to the browser.
*
* This filter reads the revoked list file name from the FilterConfig
* passed in the init() method. It reads the revoked user list file and
* creates a revokedUsers list.
*
* When the doFilter method is called, the user logging in is checked
* to make sure that the user is not on the revoked Users list.
*
*/
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
public class LoginFilter implements Filter {
protected FilterConfig filterConfig;
java.util.List revokeList;
/**
* init() : init() method called when the filter is instantiated.
* This filter is instantiated the first time j_security_check is
* invoked for the application (When a protected servlet in the
* application is accessed).
*/
public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
// read revoked user list
revokeList = new java.util.ArrayList();
readConfig();
}
/**
* destroy() : destroy() method called when the filter is taken
* out of service.
*/
public void destroy() {
this.filterConfig = null;
revokeList = null;
}
/**
* doFilter() : doFilter() method called before the servlet to
* which this filter is mapped is invoked. Since this filter is
* mapped to j_security_check,this method is called before
* j_security_check action is posted.
*/
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws java.io.IOException, ServletException {
HttpServletRequest req = (HttpServletRequest)request;
HttpServletResponse res = (HttpServletResponse)response;
// pre login action
// get username
String username = req.getParameter("j_username");
// if user is in revoked list send error
if ( revokeList.contains(username) ) {
res.sendError(javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED);
return;
}
// call next filter in the chain : let j_security_check authenticate
// user
chain.doFilter(request, response);
// post login action
}
/**
* readConfig() : Reads revoked user list file and creates a revoked
* user list.
*/
private void readConfig() {
if ( filterConfig != null ) {
// get the revoked user list file and open it.
BufferedReader in;
try {
String filename = filterConfig.getInitParameter("RevokedUsers");
in = new BufferedReader( new FileReader(filename));
} catch ( FileNotFoundException fnfe) {
return;
}
// read all the revoked users and add to revokeList.
String userName;
try {
while ( (userName = in.readLine()) != null )
revokeList.add(userName);
} catch (IOException ioe) {
}
}
}
}
<filter id="Filter_1">
<filter-name>LoginFilter</filter-name>
<filter-class>LoginFilter</filter-class>
<description>Performs pre-login and post-login operation</description>
<init-param>
<param-name>RevokedUsers</param-name>
<param-value>c:\WebSphere\AppServer\installedApps\
<app-name>\revokedUsers.lst</param-value>
</init-param>
</filter-id>
<filter-mapping>
<filter-name>LoginFilter</filter-name>
<url-pattern>/j_security_check</url-pattern>
</filter-mapping>
user1
cn=user1,o=ibm,c=us
user99
cn=user99,o=ibm,c=us