Home » Servlet Filter

Servlet Filter

  • by
Servlet Filter

1. Overview

In this article, we will cover the Servlet Filter with use cases.

2. Servlet Filter

The Servlet filters intercept the requests from the client before it reaches the target resource (e.g. Controller, Servlet, JSP, HTML files, static content, so on) in a web application and can also post-process the responses before sending them to the clients.

The below steps illustrate how the Servlet Filter works:

Servlets with or without filters
Servlets with or without filters
  1. Client sends a request for a resource. The resource can be Controller handler methods, servlets, so on. The servlet container creates a filter chain to process these incoming request.
  2. The servlet container forwards the incoming request HttpServletRequest to the filters in the filter chain. You can also configure and apply filter for all requests or selected requests.
  3. Filters can perform any of the following functionalities:
    1. Alter the HttpServletRequest before forwarding to the target resource such as controller.
    2. Change the HttpServletResponse before sending to the client.
    3. Prevent forwarding the request to the target resource, instead generates a response and send it to the client. This comes handy when you want to prevent processing certain requests or secure the request by performing authentication / authorization in the Filter instance (Spring Security).

Spring Security integrates with the Servlet Container by using a standard Servlet Filter.

2.1. Use case

The target resource in an application might generate response data that is sensitive and should not go out over the network in clear-text form, especially when the connection is established via a non-secure protocol such as HTTP.

A filter can encrypt the responses before sending them to the client.

A common scenario for a filter is where you want to apply preprocessing or post-processing to requests or responses for a group of requests, not just a single request.

2.2. Example

You must implement the javax.servlet.Filter interface to create a Servlet Filter. Here is an example servlet filter implementation:

package com.tedblob.filter;
import javax.servlet.*;

public class ServletFilterExample implements javax.servlet.Filter {
  public FilterConfig filterConfig;                                 //1

  public void doFilter(final ServletRequest request,                //2
                       final ServletResponse response,
                       FilterChain chain)
      throws java.io.IOException, javax.servlet.ServletException { 
    chain.doFilter(request,response);                               //3
  } 

  public void init(final FilterConfig filterConfig) {               //4
    this.filterConfig = filterConfig;
  } 

  public void destroy() {                                           //5
  }
}
  • init()
  • destroy()
  • doFilter()

When the servlet container (like Apache Tomcat or Jetty) starts up, it will deploy and load all its web applications. When a web application loads, the servlet container creates the ServletContext once and keeps it in the server’s memory. 

The ServletContext remembers all the Servites, filters, and listeners associated with the web application, as defined in its web.xml or equivalent annotations. It gets destroyed only when the application itself shuts down.

The Servlet container instantiates a filter by calling its init() method, just like with servlets. Since servlet, filter, and listener instances are tied to the context, they also live as long as the web application is up and running.

This Filter instance intercepts the HTTP requests and inspects the request URI, parameters, and headers. It will decide to block the request or forward the request to the target controller or servlet, JSP, etc.

The doFilter() method contains the code that implements the filter.

3. Conclusion

To sum up, we have discussed the filters along with an example.