JAAS and Filters
Tuesday, March 17th, 2009Small tip of the day. If you define a servlet filter and container managed security on the same application, keep these in mind:
- If your filter is “url-mapped”, it is executed BEFORE the security manager;
- If it is “servlet-mapped”, it is executed AFTER the security manager.
I tested it when developing a filter to handle “user life cycle” (expired passwords, agreement signing, etc). If I map both filter and security to “/*”, filter was run. If I map security to “/*” and filter to “Faces Servlet”, it is not executed until authenticated (even when accessing “/faces/index.jsp”).