OncePerRequestFilter unable to set error code different than 404

Question

I have a Spring application (not using Spring boot) deployed to tomcat

I'm trying to return error 401 (HttpServletResponse.SC_UNAUTHORIZED) on specific URLs in given condition using OncePerRequestFilter ,

But I keep getting Not found error:

Response code: 404

My Filter(removed conditions):

@Component
public class MyFilter extends OncePerRequestFilter {

    private static final Logger logger = Logger.getLogger(MyFilter.class);
    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {

            response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Not autorized");           
            response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
            try {
                PrintWriter out = response.getWriter();
                out.write(""); // Empty
                out.flush();
            } catch (IOException e) {
                logger.error("error filtering", e);
            }
            return; // stop chain
    }    
}

I tried using similar code to previous similar answer

I believe you can response.sendError inside do Filter method.

EDIT

If I just throw an exception instead I get a generic error code 500

Response code: 500

EDIT 2

I'm adding filter inside onStartup method overriden WebApplicationInitializer's

FilterRegistration myFilter = servletContext.addFilter("myFilter ", MyFilter.class);
myFilter.addMappingForUrlPatterns(null, false, "/myservlet/myendpoint/*");

EDIT 3

Also my filter in @Componenet and its package include in component scan

@ComponentScan(basePackages = { "my.parent.pacakge"})

According to the javadoc, you shouldn't attempt to write to the response after calling `sendError` : https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletResponse.html#sendError%28int,%20java.lang.String%29. — Arnaud, Apr 01 '19 at 14:07
@Arnaud what's the right way? I tried using code from similar answer https://stackoverflow.com/questions/44040703/spring-how-to-make-a-filter-throw-a-custom-exception — Ori Marko, Apr 01 '19 at 14:08

Mukul Bansal · Accepted Answer · 2019-05-27T11:26:33.943

1

I tried your code and it works. Different error codes were getting successfully returned. Although, I wanna point out a couple of things-

The method sendError() sends the response to the client and also clears the response buffer. So, anything you write after it into the response after that is of no use.
Calling setStatus() is of no use either. The HTTP response and HTTP response code has already been sent to the client in the above line when you called sendError().

Now, this is my hypothesis why your code is not working for you, but it is for me-

The reason that you might be getting HTTP 404 is that your API is not present. This can be due to a spelling error or maybe due to a simple ignorance like calling your API named /foo/bar like /foo/bar/ i.e. with extra trailing forward slash. I believe that your filter is getting executed successfully and you must be doing something useful there, not the sample code of sendError() that you have explained in the question.

Also, when you throw an Exception in your filter, the control does not reach to the API and API lookup does not happen. Hence, the default HTTP 500 response is sent to the client due to the unhandled exception instead of HTTP 404.

edited May 27 '19 at 11:26

answered May 27 '19 at 09:19

Mukul Bansal

878
8
10

Actually I verified the filter is executed, but as you mention I need to remove `sendError()` can you explain why it works as my answer ? https://stackoverflow.com/questions/55456982/onceperrequestfilter-unable-to-set-error-code-different-than-404/56268995#56268995 – Ori Marko May 27 '19 at 10:06
@user7294900 sendError() method sends the response to the client with the HTTP Status code provided in its arguments. When we use sendError(), the lines written below it i.e. setStatus() have no effect. Although, when you do not use sendError() and use setStatus() instead, the HTTP status provided in the arguments of setStatus() method are obeyed and it works. In short, use either setStatus() or sendError(). – Mukul Bansal May 27 '19 at 10:12
Can you explain in detail, what exactly puzzles you? Be descriptive. – Mukul Bansal May 27 '19 at 10:44
Your answer isn't clear. You say it's working and also it shouldn't work because 2 issues, so how it works in your environment when you don't expect it to return 401? – Ori Marko May 27 '19 at 10:55
The code works. IT ABSOLUTELY WORKS. I have just suggested improvisations in the code with an explanation. I am editing the confusing words. Also, I gave my hypothesis why the code might not be working for you but it is for me and other users. – Mukul Bansal May 27 '19 at 11:25

Ori Marko · Answer 2 · 2019-05-23T06:25:44.790

0

It return 401 as expected only if setStatus is executed after out.write

PrintWriter out = response.getWriter();
out.write("");
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);

edited May 23 '19 at 06:25

answered May 23 '19 at 06:11

Ori Marko

56,308
23
131
233

OncePerRequestFilter unable to set error code different than 404

2 Answers2

Linked