com.fullspan.kat.web
Class KatServletFilter
java.lang.Object
com.fullspan.kat.web.KatServletFilter
- All Implemented Interfaces:
- javax.servlet.Filter
- public class KatServletFilter
- extends java.lang.Object
- implements javax.servlet.Filter
- Author:
- Mitch Stuart
|
Method Summary |
void |
destroy()
|
void |
doFilter(javax.servlet.ServletRequest req,
javax.servlet.ServletResponse resp,
javax.servlet.FilterChain filterChain)
Overview
This filter:
Does the database and connection handling for every request:
Opens a connection and starts a transaction
Allows the request to be processed normally
If there is an exception, rolls back the transaction, otherwise
commits the transaction
Closes the connection
Checks if the request requires login. |
protected void |
handleLoginRequired(javax.servlet.http.HttpServletRequest httpReq,
KatRequestWeb katRequest,
KatSessionWeb katSession)
|
void |
init(javax.servlet.FilterConfig filterConfig)
|
| Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
KatServletFilter
public KatServletFilter()
init
public void init(javax.servlet.FilterConfig filterConfig)
throws javax.servlet.ServletException
- Specified by:
init in interface javax.servlet.Filter
- Throws:
javax.servlet.ServletException- See Also:
Filter.init(javax.servlet.FilterConfig)
doFilter
public void doFilter(javax.servlet.ServletRequest req,
javax.servlet.ServletResponse resp,
javax.servlet.FilterChain filterChain)
throws java.io.IOException,
javax.servlet.ServletException
- Overview
This filter:
- Does the database and connection handling for every request:
- Opens a connection and starts a transaction
- Allows the request to be processed normally
- If there is an exception, rolls back the transaction, otherwise
commits the transaction
- Closes the connection
- Checks if the request requires login. If it does, and the
user is not currently logged in, the user is forwarded to the
login page where a message is displayed.
Connection Pooling
Note that most environments will use connection pooling, so the Open
and Close connection mentioned above usually mean request a connection
from the pool and release it back to the pool.
Access Checking
We determine if authorization is required by examining the "servletPath".
This is the portion of the path following the web application context.
For example, if the application is called "kat", and a typical URL
is "http://test.fullspan.com/kat/app/entryDisplay.do", then the
servletPath is "/app/entryDisplay.do".
URL Checking
The access checking described above checks the content of the
servletPath in the URL. We must be cautious to ensure that the
user cannot bypass the access check by using a different form
of the URL. From observation we have determined the following:
- Tomcat URLs are case sensitive. So if the protected path is
/app, if the user enters /aPp, the path will not be recognized
and Tomcat will give an HTTP 400 error like this:
Invalid path /aPp/entryDisplay was requested. Therefore there is no
need to "ignore case" when comparing the accessCheckPrefix against the
servletPath - our filter will not even get control if the case does
not match.
- Tomcat URL decodes the URL before our filter gets control.
For example, if the user enters a URL like /ap%70/hello.do,
Tomcat will decode this to /app/hello.do before we see it.
- Specified by:
doFilter in interface javax.servlet.Filter
- Throws:
java.io.IOException
javax.servlet.ServletException- See Also:
Filter.doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
handleLoginRequired
protected void handleLoginRequired(javax.servlet.http.HttpServletRequest httpReq,
KatRequestWeb katRequest,
KatSessionWeb katSession)
destroy
public void destroy()
- Specified by:
destroy in interface javax.servlet.Filter
- See Also:
Filter.destroy()