How to modify HttpServletResponse with Spring Security integration ?

[deepak.marur]

I have implemented Spring Security 3.1 on top of Spring MVC 3.1.3 with the UI developed with Dojo 1.4. The application has few controllers which handle binary files uploaded through dojo.io.iframe.send. The controller sends a json response which has to be surrounded with

HTML Code:

<html><body><textarea>{my json response}</textarea></body></html>

To to this, I've implemented a custom filter and placed it after Spring Security's filter chain in web.xml:

Code:

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    <async-supported>true</async-supported>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<filter>
    <filter-name>dojoIframeFilter</filter-name>
    <filter-class>com.app.web.MultipartAjaxFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>dojoIframeFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

The filter's doFilter has this behaviour taken from: http://www.oracle.com/technetwork/ja...rs-137243.html

Code:

public void doFilter(ServletRequest request, ServletResponse response,
        FilterChain chain) throws IOException, ServletException {

    if (request.getContentType() != null
            && request.getContentType().contains("multipart/form-data")) {
        CharResponseWrapper wrapper = new CharResponseWrapper((HttpServletResponse) response);

        chain.doFilter(request, wrapper);
        log.info(wrapper.toString());
        //Modify response here to add html tags
    } 
    else {
        chain.doFilter(request, response);
    }
}

The wrapper's output is empty. I've also tried many other combinations such as placing the custom filter for spring's dispatcher servlet, doing away with the if block inside doFilter none of which works. I also tried writing a Spring interceptor which also failed.

What is the right way to modify the response sent from controller with spring security in place ?

[Rob Winch]

Does modification work when you do not have Spring Security in place? For example, what happens if you remove the reference to the filter-mapping of the springSecurityFilterChain from your web.xml

[deepak.marur]

@Rob, thanks for the pointer. I'll have to rewrite certain parts after disabling spring security, since the app was developed ground up with spring security in mind. Will do that and get back.

UPDATE: I disabled spring security and tested response modification with plain spring mvc + servlet filter, but the response wrapper was still empty. Now that spring security is disabled, how do I go about fixing this behaviour ? Please suggest.

[deepak.marur]

Friends, we need to subclass ServletOutputStream also in addition to in order to successfully modify the ServletResponse. The solution was detailed at http://docstore.mik.ua/orelly/xml/jxslt/ch08_04.htm. It works with spring security in place and I've placed the custom filter before springSecurityFilterChain.