Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Form based authentication Filter, with in Servlet Container
package com.surdoc.enterprisecloud.web;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
* features :
* <ul>
* <li> redirect to previous page after successfully login
* <li> failed login indication (?fail)
* <li> response 401 for unauthenticated access
* <li> response with html meta to redirect to login page after 401 happens
* </ul>
* @author liulijie
public class DeadSimpleAuthFilter implements Filter {
private String loginurl;//POST
private String loginpage;//Form
public void init(FilterConfig filterConfig) throws ServletException {
loginurl = filterConfig.getServletContext().getContextPath() + "/login";
loginpage = filterConfig.getServletContext().getContextPath() + "/login.html";
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
HttpSession session = req.getSession();
//ya! i recognise you , pass !
if (session.getAttribute("user") != null) {
chain.doFilter(request, response);
//mm.. not yet a user
String method = req.getMethod(), path = req.getRequestURI();
if(path.endsWith(".html") || path.endsWith(".css") || path.endsWith(".js")) {
chain.doFilter(request, response);
if ("POST".equalsIgnoreCase(method) && loginurl.equals(path)) {
String username = req.getParameter("username");
String password = req.getParameter("password");
String next = req.getParameter("next");
if ("admin".equals(username) && "admin".equals(password)) {
session.setAttribute("user", "admin");
resp.sendRedirect(next == null ? "/" : URLDecoder.decode(next, "UTF-8"));
} else {
//sadly, you failed to identify yourself
resp.sendRedirect(loginpage + (next == null ? "?fail" : String.format("?fail&next=%s", next)));
// dude, you are now allowed here !
// resp.addHeader("WWW-Authenticate", "Basic");//doesn't support form auth
// and it is not possible send both 401 unauthorized and a Location redirect, browser will ignore later one
// see
String loc = req.getRequestURL().toString().replace(req.getRequestURI(), "") + loginpage;
if("GET".equalsIgnoreCase(method)) {
loc += "?next=" + URLEncoder.encode(req.getRequestURL().toString(), "UTF-8");
resp.getWriter().write(String.format("<html><head><meta http-equiv='refresh' content='0;%s'</head></html>", loc));
public void destroy() {
<!DOCTYPE html>
<html lang="en">
<title>云盘后台 登录</title>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="renderer" content="webkit">
width: 300px;
margin: 20% auto;
.login-panel label {
width: 50px;
display: inline-block;
margin-top: 5px;
<div class="login-panel">
<form action="login" method="POST">
<label for="id_username">用户名</label> <input type="text" name="username" id="id_username"/>
<label for="id_password">密码</label> <input type="password" name="password" id="id_password"/>
<input type="hidden" name="next" id="id_next"/>
<input type="submit" value="登录"/>
<script type="text/javascript">
var results = new RegExp('[\\?&]next=([^&#]*)').exec(window.location.href);
if (results && results[1]) {
document.getElementById("id_next").value = results[1];
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.