Extreme Java

Small tip of the day. If you define a servlet filter and container managed security on the same application, keep these in mind:

• If your filter is “url-mapped”, it is executed BEFORE the security manager;
• If it is “servlet-mapped”, it is executed AFTER the security manager.

I tested it when developing a filter to handle “user life cycle” (expired passwords, agreement signing, etc). If I map both filter and security to “/*”, filter was run. If I map security to “/*” and filter to “Faces Servlet”, it is not executed until authenticated (even when accessing “/faces/index.jsp”).

Tags: filter, jaas, order

This entry was posted on Tuesday, March 17th, 2009 at 7:52 am and is filed under Java EE. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.