how to implement authentication filter for java web application
An authentication filter is used to restrict access to web resources of an application. It verifies the user's identity by examining the request headers, parameters, or cookies, and blocks the access to the resources if the user is not authenticated.
Here is a basic example of how to implement an authentication filter for a Java web application:
- Create a filter class that implements the javax.servlet.Filter interface:
public class AuthenticationFilter implements Filter { public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest httpRequest = (HttpServletRequest) request; HttpServletResponse httpResponse = (HttpServletResponse) response; HttpSession session = httpRequest.getSession(false); // Check if the session contains an authenticated user boolean isAuthenticated = (session != null && session.getAttribute("user") != null); if (!isAuthenticated) { // Redirect to the login page httpResponse.sendRedirect(httpRequest.getContextPath() + "/login.jsp"); return; } // User is authenticated, so continue the request chain.doFilter(request, response); } public void init(FilterConfig config) throws ServletException { // Initialization code } public void destroy() { // Clean up code } }Source:wwtfigi.widea.com
- Map the filter to the URLs that need to be authenticated in the
web.xml
file:
<filter> <filter-name>AuthenticationFilter</filter-name> <filter-class>com.example.AuthenticationFilter</filter-class> </filter> <filter-mapping> <filter-name>AuthenticationFilter</filter-name> <url-pattern>/secured/*</url-pattern> </filter-mapping>
In this example, the filter is mapped to the /secured/*
URL pattern, which means that all requests that start with /secured/
will be intercepted by the filter.
Create a login page (in this example,
login.jsp
) that allows the user to enter their credentials and submit a login form to the server.In the servlet that processes the login request, authenticate the user and store their information in the session:
public class LoginServlet extends HttpServlet { public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String username = request.getParameter("username"); String password = request.getParameter("password"); // Authenticate the user (e.g. by checking the database) boolean isAuthenticated = authenticateUser(username, password); if (isAuthenticated) { HttpSession session = request.getSession(true); session.setAttribute("user", username); response.sendRedirect(request.getContextPath() + "/secured/welcome.jsp"); } else { response.sendRedirect(request.getContextPath() + "/login.jsp?error=1"); } } private boolean authenticateUser(String username, String password) { // Authentication logic goes here } }
- Create a secured resource (in this example,
welcome.jsp
) that can only be accessed by authenticated users. Add a link to this resource in the login page.
That's it! When the user tries to access the secured resource, the authentication filter will intercept the request and check if the user is authenticated. If the user is not authenticated, they will be redirected to the login page. If the user is authenticated, the filter will allow the request to proceed to the secured resource.