Filter mapped on forward dispatcher isn't invo

2020-03-26 12:03发布


I'm trying to code a simple JSF web application with a login system using Tomcat 7.

I have got two pages: index.xhtml and /restricted/welcome.xhtml.

Pages below "/restricted/*" shall be only accessible to users logged in.

Surfing directly to the welcome.xhtml causes my filter to be executed, forwarding from index.xhtml to welcome.xhtml bypasses the filter. I can't imagine why the filter is not executed.

@WebFilter(value = { "/restricted/*" }, dispatcherTypes = { DispatcherType.FORWARD, DispatcherType.REQUEST, DispatcherType.ASYNC, DispatcherType.ERROR, DispatcherType.INCLUDE })
public class RestrictedAreaFilter implements Filter {

public void destroy() {


public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest httpReq = (HttpServletRequest) request;
    User user = (User) httpReq.getSession().getAttribute("user");

    if (user != null && user.isLoggedIn()) {
        chain.doFilter(request, response);
    } else {
        httpReq.getRequestDispatcher("/access_denied.xhtml").forward(request, response);

public void init(FilterConfig arg0) throws ServletException {


<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
<html xmlns=""
<h:form id="form">
    <h:panelGrid id="grid" columns="2">
        <h:outputLabel value="Benutzername" for="username" />
        <h:inputText id="username" value="#{login.username}" />
        <h:outputLabel value="Passwort:" for="password" />
        <h:inputSecret id="password" value="#{login.password}">
            <f:validateLength minimum="4" maximum="16" />
        <h:message style="color: red" for="password" />

    <h:commandButton id="login" value="Login" action="#{login.proceed}" />
@ManagedBean(name = "login")
public class LoginBean {

@ManagedProperty(value = "#{user}")
private User user;

private String username;
private String password;

public void setUser(User user) {
    this.user = user;

public String getUsername() {
    return username;

public void setUsername(String username) {
    this.username = username;

public String getPassword() {
    return password;

public void setPassword(String password) {
    this.password = password;

public String proceed() {

    return "restricted/welcome.xhtml";


The FORWARD dispatcher is only triggered when RequestDispatcher#forward() is been invoked somewhere in the webapp's code. The standard JSF navigation handler doesn't do that. It just invokes ViewHandler#createView() and sets it as current view by FacesContext#setViewRoot().

Send a redirect instead:

public String proceed() {

    return "restricted/welcome.xhtml?faces-redirect=true";

This is by the way also the recommended practice. Now it's a bookmarkable page (the URL change is now reflected in browser's address bar) and refreshing/F5'ing the page won't result in the POST unnecessarily being re-executed and pressing back button won't result in surprises.

If you really insist in invoking the FORWARD dispatcher using JSF, you can always use ExternalContext#dispatch() method, but this is not the recommended way.

public void proceed() throws IOException {