J2EE User Authentication using servlet filters

Filters can be used to transform the response from a servlet or a JSP page and can perform many functions as follows

  • User Authentication- Blocking requests based on user identity.
  • Logging and auditing-Tracking users and the actions performed.
  • Image conversion- Scaling, squeezing etc
  • Data compression-For making the download easier.
  • Localization-Targeting the request and response to a particular locale.

A filter is a Java class which implements the javax.servlet.Filter interface . The javax.servlet.Filter interface defines three methods as given below.

SI. NoMethodDescription
public void doFilter(ServletRequest req, ServletResponse res,FilterChain chain) This method is called each time when a request/response pair is passed.
public void init(FilterConfig filterConfig) init() method is used to initialize the filter and this is invoked only once.
public void destroy() This method is called to indicate that a filter is being taken out of service

Below given example describes the filter implementation for user authentication


package com.servlet.filter.UserAuthFilter ;
import java.io.IOException;
import java.util.ArrayList;
import java.util.StringTokenizer;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
// Implements Filter class
public class UserAuthFilter implements Filter {
  private ArrayList urlList;
  public void destroy() {
  public void doFilter(ServletRequest req, ServletResponse res,
      FilterChain chain) throws IOException, ServletException {
    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;
    String url = request.getServletPath();
    boolean allowedRequest = false;
    String strURL = "";
    // To check if the url can be excluded or not
    for (int i = 0; i < urlList.size(); i++) {
      strURL = urlList.get(i).toString();
      if (url.startsWith(strURL)) {
        allowedRequest = true;
    if (!allowedRequest) {
      HttpSession session = request.getSession(false);
      if (session == null
          || session.getAttribute("session_uname") == null) {
        // Forward the control to login.jsp if authentication fails
    chain.doFilter(req, res);
  public void init(FilterConfig config) throws ServletException {
    // Read the URLs to be avoided for authentication check (From web.xml)
    String urls = config.getInitParameter("avoid-urls");
    StringTokenizer token = new StringTokenizer(urls, ",");
    StrUrlList = new ArrayList();
    while (token.hasMoreTokens()) {


    <filter-class>com.servlet.filter.UserAuthFilter </filter-class>

Popular Videos


How to improve your Interview, Salary Negotiation, Communication & Presentation Skills.

Got a tip or Question?
Let us know

Related Articles

Overriding JAXB binding at client side
Easy Way To Remember SQL Joins - A visual explanation
Setting Expires header in .htaccess to improve your page load time
Login Using Facebook Account - FB Connect
Step By Step Tutorial On LDAP Using Java JNDI
Zoning and LUN Masking