使用过滤器重定向Java servlet

Question

I have the following question:

I have a index.html page with a login form:

<html>
    <head>
        <title>TODO supply a title</title>
        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1.0">
        <link href="css/css.css" type="text/css" rel="stylesheet"/>
    </head>
    <body>
        <nav>
            <form action="">
                <label for="username">User: </label><input name ="username" type="text">
                <label for="password">Password: </label><input name ="password" type="password">
                <input type="submit" value="Vai">
            </form>
        </nav>

        <section id ="page">

        </section>
    </body>
</html>

I have created a filter called f2 that should check if the username is "admin" and if so redirect the user to the page payroll/private/stipendi.html or if not to the page payroll/public/dipendenti.html .

This is the hierarchy of my project (made with netbeans 8.02):

Here is my web.xml file:

<web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
    <filter>
        <filter-name>f2</filter-name>
        <filter-class>f2</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>f2</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <session-config>
        <session-timeout>
            30
        </session-timeout>
    </session-config>
</web-app>

And here's the f2 filter:

public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain)
            throws IOException, ServletException {

        if (debug) {
            log("f2:doFilter()");
        }

        doBeforeProcessing(request, response);
        HttpServletRequest req = (HttpServletRequest) request;
        if(req.getSession().getAttribute("username") == null)
            System.out.println("Attributo username = NULL");
        if(!req.getParameter("username").equals("admin")){
            System.out.println("Username is not ADMIN");
            req.getRequestDispatcher("/payroll/public/dipendenti.html").forward(request, response);
        }
        else{
            System.out.println("Username is ADMIN");
            req.getRequestDispatcher("/payroll/private/stipendi.html").forward(request, response);
        }
        Throwable problem = null;
        try {
            chain.doFilter(request, response); return;
        } catch (Throwable t) {
        // If an exception is thrown somewhere down the filter chain,
            // we still want to execute our after processing, and then
            // rethrow the problem after that.
            problem = t;
            t.printStackTrace();
        }

        doAfterProcessing(request, response);

    // If there was a problem, we want to rethrow it if it is
        // a known type, otherwise log it.
        if (problem != null) {
            if (problem instanceof ServletException) {
                throw (ServletException) problem;
            }
            if (problem instanceof IOException) {
                throw (IOException) problem;
            }
            sendProcessingError(problem, response);
        }
    }

I have relized some things:

I have an infinite loop because my filter f2 has the url-pattern = /* so it catches every request, elaborate it, sends it and the recatch the same request just sent. Over and over again.

This mens I have to change my url-pattern to something else. But what? What if I create a servlet called... let's say myRedirectServlet.java , the in index.html : action = "myRedirectServlet" or just action = "/payroll/" without creating any servlet? I do apologize but I'm pretty confused.

Please help me

Answer 1

What you are doing is not in the interest of security. You should utilize the concept of principals - but let's save this for another day.

1. Your form action in HTML is missing - so when you hit submit the browser will try to redirect to the same HTML page.
2. Assuming that is well though of by you - change the filter mapping to map ONLY to that one HTML page.
3. Inside the filter - if the user id is EMPTY - just doChain (DON'T redirect), if the user id is admin redirect as necessary, since your filter is specific now - you will not get into your infinite loop.