93

Documentation says org.springframework.web.filter.OncePerRequestFilter "guarantees to be just executed once per request". Under what circumstances a Filter may possibly be executed more than once per request?

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
Somu
  • 3,593
  • 6
  • 34
  • 44

5 Answers5

81

Under what circumstances a Filter may possibly be executed more than once per request?

You could have the filter on the filter chain more than once.

The request could be dispatched to a different (or the same) servlet using the request dispatcher.

A common use-case is in Spring Security, where authentication and access control functionality is typically implemented as filters that sit in front of the main application servlets. When a request is dispatched using a request dispatcher, it has to go through the filter chain again (or possibly a different one) before it gets to the servlet that is going to deal with it. The problem is that some of the security filter actions should only be performed once for a request. Hence the need for this filter.

Stephen C
  • 698,415
  • 94
  • 811
  • 1,216
  • 1
    Very good explanation. One thing, if there is no request dispatch or forward or redirect etc, in normal case, a filter will otherwise be executed once right if it is not configured more than once on the filterchain etc. – samshers Nov 26 '20 at 10:04
38

To understand the role of OncePerRequestFilter, we need to first clearly understand how a normal filter behaves. When you want some specific code to execute just before or after servlet execution, you create a filter which works as:

code1   ===>   servlet execution (using chain.doFilter())   ===>    code2

So code1 executes before servlet and code2 after servlet execution. But here, while servlet execution, there can be some other request to a different servlet and that different servlet is also having this same filter. In this case, this filter will execute again.

OncePerRequestFilter prevents this behavior. For our one request, this filter will execute exactly one time (no more no less). This behavior is very useful while working with security authentication.

Arman
  • 634
  • 7
  • 12
  • 2
    Can you elaborate why this is "very useful while working with security authentication" please – Hilikus May 03 '19 at 19:04
  • 11
    Yes @Hilikus, Think about a general security authentication in your project. We expect that as soon as a request hits your project, you should authorize and authenticate it once. Then, if everything seems fine, this request can be allowed to hit your APIs. OncePerRequestFilter makes sure of it that this authentication process happens only once. If we don't use this, whenever we internally make a request to some other API in our project, the same authentication will happen again as all our APIs are having the same security filter. – Arman May 05 '19 at 02:53
  • 2
    @Arman By "whenever we internally make a request to some other API in our project" you mean whenever we dispatch/forward the request to another URL having this same filter and not just by calling that class method directly. Right? – Tarun Kumar Jun 13 '19 at 14:40
  • 2
    `this request can be allowed to hit your APIs.` @arman, can you quote any examples, why we will call other api from one api call - when a request is received by servlet we may call other layers like service/dao etc but that's a java call. If you elaborate your answer or comment it will be much more easier to understand. – samshers Nov 26 '20 at 09:30
7

A special kind of GenericFilterBean was introduced to live in Servlet 3.0 environment. This version added a possibility to treat the requests in separate threads. To avoid multiple filters execution for this case, Spring Web project defines a special kind of filter, OncePerRequestFilter. It extends directly GenericFilterBean and, as this class, is located in org.springframework.web.filter package. OncePerRequestFilter defines doFilter method. Inside it checks if given filter was already applied by looking for "${className}.FILTER" attribute corresponding to true in request's parameters. In additionally, it defines an abstract doFilterInternal((HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) method. Its implementations will contain the code to execute by given filter if the filter hasn't been applied.

Nilesh
  • 237
  • 1
  • 3
  • 13
6

Under what circumstances a Filter may possibly be executed more than once per request?

A filter may be invoked as part of a REQUEST or ASYNC dispatches that occur in separate threads. We should use OncePerRequestFilter since we are doing a database call to retrieve the principal or the authenticated user, there is no point in doing this more than once. After that, we set the principal to the security context.

Authentication auth = jwtTokenProvider.getAuthentication(token);
SecurityContextHolder.getContext().setAuthentication(auth);

where jwtTokenProvider is your service for getting authentication from the jwt token.

pc.97
  • 153
  • 1
  • 4
  • 12
0

OncePerRequestFilter implements logic to make sure that the filter’s doFilter() method is executed only one time per request.

Md Murad Hossain
  • 1
  • 1
  • 1