Filter chain in URLrewrite filter

Question

I'm using Tuckey's URL rewrite filter combined with a Home grown security filter.

• The URL rewrite filter is mapped over /*
• The security filter is mapped over '/*'

Also, the URL rewrite filter has the following rule:

<rule>
    <name>User</name>
    <from>^/user/$</from>
    <to>/user.do</to>
</rule>

For a request like: myapp/user/ I am expecting this flow:

1. Mapped by the URL rewrite filter. The request URL (or Servlet path) becomes user.do
2. Mapped by the security filter. Validation and maybe Redirect
3. Reach the controller mapped over user.do

However, somehow the second step is jumped whenever Tuckey's URL Rewrite applies a rule. This leads to really unpleasant behaviour like accessing secured pages without the proper authentication.

Is there something I missed? Should I expect another behaviour?

Answer 1

This happens because normally the urlrewritefilter doesn't redirect the url. It's just internally forwarding it. Try adding type="redirect" as an attribute and your security filter will catch the redirected request.

<rule>
    <name>User</name>
    <from>^/user/$</from>
    <to type="redirect">/user.do</to>
</rule>

That worked for me before.

Answer 2

If you do type="redirect" the client will be issued a 302 "temporary redirect" status that will eventually redirect the browser to the new url.

If you want the user to still see the old " from " url in the browser's address line, try adding these to your "security" filter:

    <dispatcher>REQUEST</dispatcher>
    <dispatcher>FORWARD</dispatcher>