Home/ Questions/Q 6875813
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T04:24:05+00:00

Short question . How is it possible to execute servlet filters before any declarative

  • 0

Short question. How is it possible to execute servlet filters before any declarative security check is performed?

Long question. For my web application I’m trying to manage all my security needs using server declarative security: I have set a security constraint on <url-pattern>/secure/*</url-pattern> with <auth-method>FORM</auth-method> and <form-login-page>/sign-in.xhtml</form-login-page>.

In order to provide a (cookie-based) “remember me” function, I have set a servlet filter which intercepts each request, checks if the user is not logged in, checks if he can be logged in automatically (via cookie), eventually logs him in using servlet based login.

<filter-mapping>
    <filter-name>CustomLoginFilter</filter-name>
    <url-pattern>*.xhtml</url-pattern>
</filter-mapping>

Now, if the user opens his browser and connects to mysite.com everything just works. But if the user opens his browser and makes a straight request to something like mysite.com/secure/secret.xhtml I observe the following behaviour:

  1. GET /secure/secret.xhtml
  2. the backing beans of log-in.xhtml are instantiated (FacesContext is available)
  3. the CustomLoginFilter.doFilter( ) gets called, (FacesContext is NULL)

This obviously hinders all the process. I cannot find any way to give precedence to my CustomLoginFilter over the server “declarative security filter” (or whatever); changing the web.xml order of declarations doesn’t help too… any ideas? Thank you!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    How is it possible to execute servlet filters before any declarative security check is performed?

    That’s not possible due to specification and security restrictions.

    Your best bet is a hook on preRenderView event in the login page and use programmatic login by the new Servlet 3.0 HttpServletRequest#login() method.

    E.g.

    <f:event type="preRenderView" listener="#{authenticator.checkAutoLogin}" />

    with something like

    public void checkAutoLogin() throws IOException {
    ExternalContext externalContext = FacesContext.getCurrentInstance().getExternalContext();
    Cookie autoLogin = externalContext.getRequestCookieMap().get("autoLoginCookieName");

    if (autoLogin != null) {
        User user = decryptCookieValueAndExtractUser(autoLogin.getValue()); // Yes, it must be encrypted! Otherwise a too easy hack.

        if (user != null) {
            HttpServletRequest request = (HttpServletRequest) externalContext.getRequest();

            try {
                request.login(user.getName(), user.getPassword());
                String originalRequestURI = externalContext.getRequestMap().get(RequestDispatcher.FORWARD_REQUEST_URI);
                externalContext.redirect(originalRequestURI != null ? originalRequestURI : "someDefaultIndex.xhtml");
            } catch (ServletException e) {
                // Login failed. It's up to you how to handle it.
            }
        }
    }
}
    • 0