spring-framework / org.springframework.web.filter

Package org.springframework.web.filter



open class CharacterEncodingFilter : OncePerRequestFilter

Servlet Filter that allows one to specify a character encoding for requests. This is useful because current browsers typically do not set a character encoding even if specified in the HTML page or form.

This filter can either apply its encoding if the request does not already specify an encoding, or enforce this filter's encoding in any case ("forceEncoding"="true"). In the latter case, the encoding will also be applied as default response encoding (although this will usually be overridden by a full content type set in the view).


open class CommonsRequestLoggingFilter : AbstractRequestLoggingFilter

Simple request logging filter that writes the request URI (and optionally the query string) to the Commons Log.


open class CompositeFilter : Filter

A generic composite servlet Filter that just delegates its behavior to a chain (list) of user-supplied filters, achieving the functionality of a FilterChain, but conveniently using only Filter instances.

This is useful for filters that require dependency injection, and can therefore be set up in a Spring application context. Typically, this composite would be used in conjunction with DelegatingFilterProxy, so that it can be declared in Spring but applied to a servlet context.


open class CorsFilter : OncePerRequestFilter

javax.servlet.Filter that handles CORS preflight requests and intercepts CORS simple and actual requests thanks to a CorsProcessor implementation (DefaultCorsProcessor by default) in order to add the relevant CORS response headers (like Access-Control-Allow-Origin) using the provided CorsConfigurationSource (for example an UrlBasedCorsConfigurationSource instance.

This is an alternative to Spring MVC Java config and XML namespace CORS configuration, useful for applications depending only on spring-web (not on spring-webmvc) or for security constraints requiring CORS checks to be performed at javax.servlet.Filter level.

This filter could be used in conjunction with DelegatingFilterProxy in order to help with its initialization.


open class DelegatingFilterProxy : GenericFilterBean

Proxy for a standard Servlet Filter, delegating to a Spring-managed bean that implements the Filter interface. Supports a "targetBeanName" filter init-param in web.xml, specifying the name of the target bean in the Spring application context.

web.xml will usually contain a DelegatingFilterProxy definition, with the specified filter-name corresponding to a bean name in Spring's root application context. All calls to the filter proxy will then be delegated to that bean in the Spring context, which is required to implement the standard Servlet Filter interface.

This approach is particularly useful for Filter implementation with complex setup needs, allowing to apply the full Spring bean definition machinery to Filter instances. Alternatively, consider standard Filter setup in combination with looking up service beans from the Spring root application context.

NOTE: The lifecycle methods defined by the Servlet Filter interface will by default not be delegated to the target bean, relying on the Spring application context to manage the lifecycle of that bean. Specifying the "targetFilterLifecycle" filter init-param as "true" will enforce invocation of the Filter.init and Filter.destroy lifecycle methods on the target bean, letting the servlet container manage the filter lifecycle.

As of Spring 3.1, DelegatingFilterProxy has been updated to optionally accept constructor parameters when using Servlet 3.0's instance-based filter registration methods, usually in conjunction with Spring 3.1's org.springframework.web.WebApplicationInitializer SPI. These constructors allow for providing the delegate Filter bean directly, or providing the application context and bean name to fetch, avoiding the need to look up the application context from the ServletContext.

This class was originally inspired by Spring Security's FilterToBeanProxy class, written by Ben Alex.


open class ForwardedHeaderFilter : OncePerRequestFilter

Extract values from "Forwarded" and "X-Forwarded-*" headers in order to wrap and override the following from the request and response: getServerName(), getServerPort(), getScheme(), isSecure(), and sendRedirect(String). In effect the wrapped request and response reflect the client-originated protocol and address.

Note: This filter can also be used in a removeOnly mode where "Forwarded" and "X-Forwarded-*" headers are only eliminated without being used.


open class HiddenHttpMethodFilter : OncePerRequestFilter

javax.servlet.Filter that converts posted method parameters into HTTP methods, retrievable via HttpServletRequest#getMethod(). Since browsers currently only support GET and POST, a common technique - used by the Prototype library, for instance - is to use a normal POST with an additional hidden form field (_method) to pass the "real" HTTP method along. This filter reads that parameter and changes the HttpServletRequestWrapper#getMethod() return value accordingly.

The name of the request parameter defaults to _method, but can be adapted via the methodParam property.

NOTE: This filter needs to run after multipart processing in case of a multipart POST request, due to its inherent need for checking a POST body parameter. So typically, put a Spring org.springframework.web.multipart.support.MultipartFilter before this HiddenHttpMethodFilter in your web.xml filter chain.


open class HttpPutFormContentFilter : OncePerRequestFilter

javax.servlet.Filter that makes form encoded data available through the ServletRequest.getParameter*() family of methods during HTTP PUT or PATCH requests.

The Servlet spec requires form data to be available for HTTP POST but not for HTTP PUT or PATCH requests. This filter intercepts HTTP PUT and PATCH requests where content type is 'application/x-www-form-urlencoded', reads form encoded content from the body of the request, and wraps the ServletRequest in order to make the form data available as request parameters just like it is for HTTP POST requests.


open class RelativeRedirectFilter : OncePerRequestFilter

Overrides HttpServletResponse#sendRedirect(String) and handles it by setting the HTTP status and "Location" headers. This keeps the Servlet container from re-writing relative redirect URLs and instead follows the recommendation in RFC 7231 Section 7.1.2.

Note: While relative redirects are more efficient they may not work with reverse proxies under some configurations.


open class RequestContextFilter : OncePerRequestFilter

Servlet Filter that exposes the request to the current thread, through both org.springframework.context.i18n.LocaleContextHolder and RequestContextHolder. To be registered as filter in web.xml.

Alternatively, Spring's org.springframework.web.context.request.RequestContextListener and Spring's org.springframework.web.servlet.DispatcherServlet also expose the same request context to the current thread.

This filter is mainly for use with third-party servlets, e.g. the JSF FacesServlet. Within Spring's own web support, DispatcherServlet's processing is perfectly sufficient.


open class ServletContextRequestLoggingFilter : AbstractRequestLoggingFilter

Simple request logging filter that writes the request URI (and optionally the query string) to the ServletContext log.


open class ShallowEtagHeaderFilter : OncePerRequestFilter

javax.servlet.Filter that generates an ETag value based on the content on the response. This ETag is compared to the If-None-Match header of the request. If these headers are equal, the response content is not sent, but rather a 304 "Not Modified" status instead.

Since the ETag is based on the response content, the response (e.g. a org.springframework.web.servlet.View) is still rendered. As such, this filter only saves bandwidth, not server performance.

NOTE: As of Spring Framework 5.0, this filter uses request/response decorators built on the Servlet 3.1 API.