I have pages in my web application which are accessible only by the administrator. I wrote filter, but I don't understand how to return HTTP error code(403) from the filter if user isn't the admin.
public class AdminFilter implements Filter {
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
String username = servletRequest.getParameter("username");
String password = servletRequest.getParameter("password");
UserDao userDaoImpl = new UserDaoImpl();
if(userDaoImpl.findByUsername(username).getPassword().equals(password)) {
filterChain.doFilter(servletRequest, servletResponse);
} else {
//respond with 403
}
}
}
I understand that I can redirect to my custom 403 page but I'm wondering how to return HTTP error code.
You need to cast servletResponse
to HttpServletResponse
first:
HttpServletResponse response = (HttpServletResponse) servletResponse;
Then use its sendError()
method:
response.sendError(HttpServletResponse.SC_FORBIDDEN);
SC_FORBIDDEN
stands for code 403.
By the way, you don't redirect to 403 page, you just respond with that status. If you do that, the servlet container will serve a special 403 page to the user. You can configure that page in your web.xml
:
<error-page>
<error-code>403</error-code>
<location>/error-403.htm</location>
</error-page>
This instructs the container to serve your custom page /error-403.htm
when you set 403 status.
If you want a redirect, you could use response.sendRedirect()
(it issues a 302 redirect).