I have a Java web application that uses security-constraints to lock down access to resources. I'm trying to manipulate the HTTP 401 response when authentication is required for Ajax requests, so I've created a filter that observes the HTTP status in responses and modifies it accordingly if required.
Problem is, it seems that if authentication is required, the filter doesn't get invoked until after the 401 has been sent to the browser. It seems that the security constraint precedes the filter in the request processing chain. My filter's url-pattern is more general than any of the security-constraints. Platform is WebSphere.
I can't see where the precedence of security-constraints and filters is specified in the Servlet 2.5 spec. Have I missed something?
First of all, if it is unspecified, this means that it is left as a container's implementation detail.
So you should look into WebSphere specifically.
I think the same would happen in Tomcat as well, since the security constraints (if I recall correctly) are implemented via Valves and so would precede the application code in the request chain.
From my point of view it makes sense, since if you assign the protection to your container, then if the request reaches your filter then it should have already passed your container's authentication mechanism (my point of view is that the filter is part of your resources).
In Tomcat you would solve your problem by replacing the Filter with a Valve
来源:https://stackoverflow.com/questions/10356361/filtering-requests-involving-security-constraints