I have a filter mapped to /* and my security constraint is mapped to /*.
The filter perfoms a request forward when the application is not configured (an entry in the database).
When I access the application I am expecting to see the login page that is served up by the j_securit_check but instead the filter is executed and the forward is performed. This ends in a loop as I never get to the login page.
I thought security checks were performed before filters were processed?
This is WebSphere 8.0.0.4. It functions fine under Tomcat and JBoss.
Thanks for reading.
Here is another response from IBM. They suggest forwarding from a filter will never be secured by j_security_check so be careful when using WebSphere. Jboss and Tomcat do not behave like this.
The web.xml shows the [configFilter] is mapped to /* i.e. configFilter /*
and also security is mapped to all i.e. General Auth. /*
The inbound request is for [/rootFilter/test/test-page.jsp], security is called and then it is redirected to [rootFilter/login.jsp]. Now for the request [rootFilter/login.jsp], since the filter [configFilter]] is mapped to all request , [configFilter] is executed which forwards the request to [/rootFilter/test/test-page.jsp] and then test-page.jsp is served.
According to Java Servlet Specification in 13.2 Declarative Security , the security is not valid for any dispatched request so the forwarded request to [/rootFilter/test/test-page.jsp] the security is not checked.
Here is from specification, The security model applies to the static content part of the web application and to servlets and filters within the application that are requested by the client. The security model does not apply when a servlet uses the RequestDispatcher to invoke a static resource or servlet using a forward or an include.
Customer will need to look into the design of the application to make sure either the filter is not mapped to all the requests or the filter does not forward to another resource.