Filters Help - Getting 2 filters to work with each other.

Question

Hi I have written 2 filters 1 for a normal user and 1 for a admin yet you have to be admin to login. Here is the source for both of my filters:

public class newFilter implements Filter {
String UUIDInDB;
String UUIDInCookie;

public void init(FilterConfig filterConfig) throws ServletException {
    //To change body of implemented methods use File | Settings | File Templates.
}

public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
    HttpServletRequest req = (HttpServletRequest) servletRequest;
    HttpServletResponse res = (HttpServletResponse) servletResponse;

    Cookie[] cookies = req.getCookies();

    UUIDInCookie = getCookieValue(cookies,"pubweb", "noCookie");

    if(UUIDInCookie.equals("noCookie")){
        Cookie cookie = new Cookie("pubweb","noCookie");
        cookie.setMaxAge(1);
        res.addCookie(cookie);
        res.sendRedirect("../Login.jsp");
        return ;
    }

    checkDatabase();

    if(UUIDInCookie.equals(UUIDInDB)){
        filterChain.doFilter(servletRequest, servletResponse);
        System.out.println("Is allowed thorugh");
    } else if(UUIDInCookie.equals("noCookie")){
        res.sendRedirect("../Login.jsp");
        System.out.println("Isn't allowed thorugh");            
    } else {
        res.sendRedirect("../Login.jsp");
        System.out.println("Isn't allowed thorugh");
    }
}

public void destroy() {
    //To change body of implemented methods use File | Settings | File Templates.
}

public void checkDatabase(){
    try {
        Class.forName("com.mysql.jdbc.Driver");
    } catch (ClassNotFoundException e) {
        e.printStackTrace();  //To change body of catch statement use File | Settings | File Templates.
    }

    /*
    The next lines allow you to change the username and password for the password.
    */
    String username = "username";
    String password = "password";

    /*
    The following line is the url. This can be changed to bring in to line with the database.
     */
    String dbURL = "jdbc:mysql://localhost/hpsgdb?user="
            + username + "&password=" + password;
    /*
    This line connects to the database to the information presented earlier.
    */

    java.sql.Connection myConnection = null;
    try {
        myConnection = DriverManager.getConnection(dbURL);
        System.out.println("Connected to Database.");
    } catch (SQLException e) {
        e.printStackTrace();  //To change body of catch statement use File | Settings | File Templates.
    }
    /*
    The next line creates a query on the database. The query is that you want exacuted is on the next line.
     */
    Statement stat = null;
    try {
        stat = (Statement) myConnection.createStatement();
    } catch (SQLException e) {
        e.printStackTrace();  //To change body of catch statement use File | Settings | File Templates.
    } catch (NullPointerException e){
        e.printStackTrace();
    }

    try {
        ResultSet rs;
        rs = stat.executeQuery("SELECT * from uuid where uuid='" + UUIDInCookie + "';");
        System.out.println("Executed Query.");
        int count = 0;
        while(rs.next())
        UUIDInDB = rs.getString("uuid") ;
        System.out.println(UUIDInDB);
        rs.close();
        myConnection.close();
    } catch (SQLException e) {
        e.printStackTrace();  //To change body of catch statement use File | Settings | File Templates.
    } catch (NullPointerException e){
        e.printStackTrace();
    }
}

public static String getCookieValue(Cookie[] cookies,
                                    String cookieName,
                                    String defaultValue) throws IOException {
    int length = cookies.length;
    System.out.println(length);
    try{
    for(int i=0; i<length; i++) {
        Cookie cookie = cookies[i];
        if (cookieName.equals(cookie.getName())) {
            System.out.println(cookies.length);
            return(cookie.getValue());
        } else {
            return defaultValue;
        }
    } } catch (NullPointerException e){
        e.printStackTrace();
        HttpServletResponse res = null;
        res.sendRedirect("../Login.jsp");
    }
    return(defaultValue);
} 
}

Other Filter:

public class adminFilter implements Filter {
String UUIDInDB;
String UUIDInCookie;
int role;

public void destroy() {
}

public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain) throws ServletException, IOException {
    HttpServletRequest req = (HttpServletRequest) servletRequest;
    HttpServletResponse res = (HttpServletResponse) servletResponse;

    Cookie[] cookies = req.getCookies();

    UUIDInCookie = getCookieValue(cookies,"pubweb", "noCookie");
   // role = Integer.parseInt(getCookieValue(cookies,"pubwebRole", "2"));

    if(UUIDInCookie.equals("noCookie")){
        Cookie cookie = new Cookie("pubweb","noCookie");
        cookie.setMaxAge(1);
        res.addCookie(cookie);
        res.sendRedirect("../Login.jsp");
        return ;
    }

    checkDatabase();

    if(UUIDInCookie.equals(UUIDInDB) && role == 1){
        chain.doFilter(servletRequest, servletResponse);
    } else if(UUIDInCookie.equals("noCookie")){
        res.sendRedirect("../Login.jsp");
    } else if (role == 2){
        res.sendRedirect("/");
    }   else {
        res.sendRedirect("../Login.jsp");
    }
}

public void init(FilterConfig config) throws ServletException {

}

public void checkDatabase(){
    try {
        Class.forName("com.mysql.jdbc.Driver");
    } catch (ClassNotFoundException e) {
        e.printStackTrace();  //To change body of catch statement use File | Settings | File Templates.
    }

    /*
    The next lines allow you to change the username and password for the password.
    */
    String username = "username";
    String password = "password";

    /*
    The following line is the url. This can be changed to bring in to line with the database.
     */
    String dbURL = "jdbc:mysql://localhost/hpsgdb?user="
            + username + "&password=" + password;
    /*
    This line connects to the database to the information presented earlier.
    */

    java.sql.Connection myConnection = null;
    try {
        myConnection = DriverManager.getConnection(dbURL);
        System.out.println("Connected to Database.");
    } catch (SQLException e) {
        e.printStackTrace();  //To change body of catch statement use File | Settings | File Templates.
    }
    /*
    The next line creates a query on the database. The query is that you want exacuted is on the next line.
     */
    Statement stat = null;
    try {
        stat = (Statement) myConnection.createStatement();
    } catch (SQLException e) {
        e.printStackTrace();  //To change body of catch statement use File | Settings | File Templates.
    } catch (NullPointerException e){
        e.printStackTrace();
    }

    try {
        ResultSet rs;
        rs = stat.executeQuery("SELECT * from uuid where uuid='" + UUIDInCookie + "';");
        System.out.println("Executed Query.");
        int count = 0;
        while(rs.next()) {
        UUIDInDB = rs.getString("uuid") ;
        role = rs.getInt("role");
        }
        System.out.println(UUIDInDB);
        System.out.println("Role =" + role);
        rs.close();
        myConnection.close();
    } catch (SQLException e) {
        e.printStackTrace();
    } catch (NullPointerException e){
        e.printStackTrace();
    }
}

public static String getCookieValue(Cookie[] cookies,
                                    String cookieName,
                                    String defaultValue) throws IOException {
    int length = cookies.length;
    System.out.println(length);
    try{
    for(int i=0; i<length; i++) {
        Cookie cookie = cookies[i];
        if (cookieName.equals(cookie.getName())) {
            System.out.println(cookies.length);
            return(cookie.getValue());
        } else {
            return defaultValue;
        }
    } } catch (NullPointerException e){
        e.printStackTrace();
        HttpServletResponse res = null;
        res.sendRedirect("../Login.jsp");
    }
    return(defaultValue);
}

}

HEre is my web xml file:

<filter>
    <filter-name>SecurityFilter</filter-name>
    <filter-class>filters.newFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>SecurityFilter</filter-name>
    <url-pattern>/add/addAuthor.jsp</url-pattern>
    <url-pattern>/add/addAuthor</url-pattern>
    <url-pattern>/add/addConference.jsp</url-pattern>
    <url-pattern>/add/addConference</url-pattern>
    <url-pattern>/add/addJournal.jsp</url-pattern>
    <url-pattern>/add/addJournal</url-pattern>
    <url-pattern>/add/addWorkshop.jsp</url-pattern>
    <url-pattern>/add/addWorkshop</url-pattern>
    <url-pattern>/add/index.jsp</url-pattern>
</filter-mapping>

<filter>
    <filter-name>AdminFilter</filter-name>
    <filter-class>filters.adminFilter</filter-class>
</filter>
<!--  <filter-mapping>
    <filter-name>AdminFilter</filter-name>
    <url-pattern>/add/addAuthor.jsp</url-pattern>
    <url-pattern>/add/addAuthor</url-pattern>
    <url-pattern>/add/addConference.jsp</url-pattern>
    <url-pattern>/add/addConference</url-pattern>
    <url-pattern>/add/addJournal.jsp</url-pattern>
    <url-pattern>/add/addJournal</url-pattern>
    <url-pattern>/add/addWorkshop.jsp</url-pattern>
    <url-pattern>/add/addWorkshop</url-pattern>
    <url-pattern>/add/index.jsp</url-pattern>
    <url-pattern>/add/addConfJour.jsp</url-pattern>
    <url-pattern>/add/addConfJourn</url-pattern>
    <url-pattern>/add/addUser.jsp</url-pattern>
    <url-pattern>/add/addUser</url-pattern>
    <url-pattern>/add/addTag.jsp</url-pattern>
    <url-pattern>/add/addTag</url-pattern>
    <url-pattern>/add/indexAdmin.jsp</url-pattern>
</filter-mapping>-->

<filter-mapping>
    <filter-name>AdminFilter</filter-name>
    <url-pattern>/add/*</url-pattern>
</filter-mapping>

Thanks in Advance Dean

Answer 1

Are you sure that you really want to be implementing all your own access security? The servlet spec supports protected resources whereby you can essentially do what you are doing. You may still want to write a filter to pop a user object into the session.

Take a look at this link http://www.informit.com/articles/article.aspx?p=24253 on protecting access to web resources using container authentication.

Also glancing at your code there are a couple of things which don't smell too good

• Java naming conventions all classes should start with an Uppercase character
• Member variables have been left package protected - these should ideally be private
• The two filters are very similar yet do not share common code in an abstract parent class or a utility class
• Database connections are being created for each login lookup - this is in efficient - ideally data access should be via a data access layer and this should be using a connection pool so that connections get reused and you don't create too many connections
• Closing resources - the database connection is not guaranteed to be closed properly. Look at using a finally block for closing the resource
• Exception handling - exceptions should not be swallowed - wrap them up in ServletException and throw them out
• Catching NullPointerExceptions these should not be caught and are generally caused by schoolboy coding bugs.