On Fri, Jun 26, 2015 at 1:42 AM, André Warnier <a...@ice-sa.com> wrote:
>
> I must admit that your question above was a bit difficult to follow, in
> terms of if/then/else/unless, particularly late at night.
Yes, you are right. Sorry about that. I was trying to walk the line
between saying too much and not enough and so it came out all gibberish.
> And the last paragraph made me think that perhaps the Tomcat logo might
> lead you to personalise things a bit more than is really healthy.
> (Or else I want to have a look at that code, because the Tomcat developers
> must be even smarter that I thought).
>
> But if your question in the end boils down to : *must* a filter
> necessarily call the next filter/webapp in the chain, then the answer is in
> the Servlet Specification.
> E.g. Servlet Spec v 3.0 final, Chapt 6 Filtering, Section 6.2 Main
> concepts, item 4 :
> "The filter *may* invoke the next entity in the filter chain"..
> It even adds : "Alternatively, the filter chain can block the request by
> not making the call to invoke the next entity, leaving the filter
> responsible for filling out the response object."
>
> (What you need to do then still, is to insure that you do indeed generate
> a valid response, whether it's an error or not. That's maybe the point
> where different containers may react slightly differently.).
>
If I use a return statement to break out of a filter, what should happen?
Will the next filter run? Shouldn't a return statement in a filter,
especially one that comes right after a sendError call, send the error and
direct the user to the page configured for such errors?
The scenario I'm working on is a web service. The web service has three
filters, in order they are: throttle filter, authentication filter,
logging filter.
If a user is not authenticated, the following code "should" break out of
the filter chain and redirect the user to a custom 403. It works nice on
Tomcat.
HttpServletResponse httpResponse = (HttpServletResponse)
response;
httpResponse.sendError(HttpServletResponse.HttpServletResponse.SC_FORBIDDEN);
return;
What I'm seeing on other containers is that I get a NPE where the Service
class is trying to do something with the authenticated user, which is null.
I realize this is not an "other containers" forum, but I was just curious
what the expected behaviour *should* be.
Leo
