WebFilter base on user role

Question

Here is my login filter class:

@WebFilter(urlPatterns = {"/backend/*", "/frontend/manager/*", "/frontend/faculty/*"})
public class AuthorizationFilter extends HttpFilter {

    @Override
    public void doFilter(HttpServletRequest request, HttpServletResponse response,
            HttpSession session, FilterChain chain) throws ServletException, IOException {
        UserManagedBean user = session != null ? (UserManagedBean) session.getAttribute("userManagedBean") : null;
        if (user != null && user.isLoggedIn()) {
            chain.doFilter(request, response);
        } else {
            response.sendRedirect(request.getContextPath() + "/frontend/login.xhtml?faces-redirect=true");
        }
    }
}

Is there anyway to let the filter class auto filter user to the urlPatterns I configured base on their roles?

For example, if I am an admin so the filter will allow me to access to /backend/*. If I am manager, then the filter will allow me to access to /frontend/manager/* and disallow me the other ones (backend, faculty).

Answer 1

Nope, filters doesn't support role-based URL matching. For that, you should be using Java EE builtin container managed security by <security-constraint> entries instead of homebrewed security using a servlet filter. Inside those <security-constraint> entries you can declare URL patterns by <web-resource-collection><url-pattern> and roles by <auth-constraint><role-name>.

Inside a filter, best what you can do is manually checking HttpServletRequest#isUserInRole().

See also:

• How to handle authentication/authorization with users in a database?
• Java EE 6 tutorial - securing web applications