2

I am trying to understand Spring security which involves method security and URL based security . URL based security is completely based on Servlet Filters. There are some scenarios when Spring security deals with exception thrown by filters chain to do its work.

I know how filters are executed by Servlet Container but I am particularly interested in how filterChain handle exceptions thrown by doFilter method in filter chain.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
optional
  • 3,260
  • 5
  • 26
  • 47
  • How exactly is your concrete question related to Spring Security? – BalusC Mar 02 '16 at 08:34
  • I am just curious how `ExceptionTransltionFilter` and `SecurityFilterInterceptor` is working when `AuthenticationFailureException` is thrown by `SecurityFilterInterceptor` in Spring security filter chain – optional Mar 02 '16 at 08:59
  • Well, `FilterChain` doesn't handle exceptions. It doesn't have any internal `try-catch` blocks. It just lets them go. I only have a hard time in understanding why exactly you would expect otherwise. – BalusC Mar 02 '16 at 09:04
  • Yes I know it, but Spring security docs says `ExceptionTranslationFilter` handle the exception by wrapping the filterChain in try-catch block . Might be what that mean is if I have three filter `Fliter1,Filter2,Filter3` and I wrapp filterchain into try-catch block in `Filter2` than exception thrown in `Filter3` will be caught in `Filter2`,am I right? – optional Mar 02 '16 at 09:10
  • If they are invoked in this sequence, yes. You can easily confirm it for yourself by creating a small testcase and observing it. I only still don't understand the rationale behind the question. – BalusC Mar 02 '16 at 09:13
  • **If they are invoked in this sequence, yes**, is the reply what I am looking for. Thanks – optional Mar 02 '16 at 09:17

2 Answers2

6

I am particularly interested in how filterChain handle exceptions thrown by doFilter method in filter chain.

It does nothing with them. In other words, it just lets them go and bubble up. They'll eventually end up in servletcontainer's builtin exception handler which already knows how to deal with them based on <error-page> configuration in web.xml.

You can however control it yourself by placing FilterChain#doFilter() call in a try-catch block like so:

try {
    chain.doFilter(request, response) {
} catch (ServletException e) {
    Throwable cause = e.getRootCause(); 
    // ... (handle it)
}

If anything else down the chain (filter, servlet, jsp, etc) throws an uncaught exception, it'll end up there.

See also:

Community
  • 1
  • 1
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • Exactly what I am looking for -Thanks – optional Mar 02 '16 at 09:23
  • The line **it just lets them go and bubble up. They'll eventually end up in servletcontainer's builtin exception handler** made me crystal clear about all filters in SpringSecurity Filter chain – optional Mar 02 '16 at 09:27
0

I don't think you are able to return anything meaningful in an errorMessage in the HttpServletResponse stream when trying/catching the doFilter method like that, unless you specifically intercept the HttpServletResponse stream and call something like sendError. And that has to be done even before the call to doFilter.

I am particularly interested in how filterChain handle exceptions thrown by doFilter method in filter chain.

But I am interested in knowing how to send a meaningful response back into the stream when the exception happens within the filterChain. Because even if there is no Exception, how would you go about handling the success response if you have already called a method like sendError before the doFilter (?)

Stapherson
  • 1
  • 2