Tomcat ServletFilter to reject request based on query parameter

This is useful if you have a web application developed by someone else. You want to restrict certain features, but you do not have access to the source code.

In this article I am giving the source code for a ServletFilter to reject all requests containing a specific query parameter that you can specify in the web.xml file.

The example works with Apache Tomcat 7.

First we need a JSP file in the application, so we can see it work:

default.jsp

<?xml version="1.0" encoding="ISO-8859-1" ?>  
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" version="2.0">  
    <jsp:directive.page contentType="text/html; charset=ISO-8859-1" 
        pageEncoding="ISO-8859-1" session="false"/>
    <jsp:output doctype-root-element="html"
        doctype-public="-//W3C//DTD XHTML 1.0 Transitional//EN"
        doctype-system="http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"
        omit-xml-declaration="true" />
<html xmlns="http://www.w3.org/1999/xhtml">  
<head>  
<title>Default</title>  
</head>  
<body>  
    <p>You came through</p>
</body>  
</html>  
</jsp:root>  

In the web.xml file you have to specify the filter. Notice how we are indicating the unwanted query parameter in the init-param element.

web.xml

<?xml version="1.0" encoding="UTF-8"?>  
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">  
  <display-name>RequestFilterExample</display-name>
  <welcome-file-list>
    <welcome-file>default.jsp</welcome-file>
  </welcome-file-list>
  <filter>
      <filter-name>PDF Filter</filter-name>
      <filter-class>com.fourthex.web.QueryParamFilter</filter-class>
      <init-param>
          <param-name>query-parameter</param-name>
          <param-value>pdf</param-value>
      </init-param>
  </filter>
  <filter-mapping>
      <filter-name>PDF Filter</filter-name>
      <url-pattern>*.jsp</url-pattern>
  </filter-mapping>
</web-app>  

Here is the filter code. The query-parameter value is picked up from the web.xml file in the init method.

In the doFilter method the parameters are compared one by one to the query-parameter value. If a match is found, HTTP error code 403 is sent in the response using the sendError method of the HttpServletResponse class. The HttpServletResponse.SC_FORBIDDEN value is 403.

QueryParamFilter.java

package com.fourthex.web;

import java.io.IOException;  
import java.util.Collections;  
import java.util.List;

import javax.servlet.Filter;  
import javax.servlet.FilterChain;  
import javax.servlet.FilterConfig;  
import javax.servlet.ServletException;  
import javax.servlet.ServletRequest;  
import javax.servlet.ServletResponse;  
import javax.servlet.http.HttpServletResponse;

public class QueryParamFilter implements Filter {

    private String queryParameter;

    public QueryParamFilter() {
    }

    public void destroy() {
    }

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletResponse httpResponse = (HttpServletResponse)response;
        List<String> parameters = Collections.list(request.getParameterNames());
        for(String parameter: parameters) {
            if(parameter.equalsIgnoreCase(this.queryParameter)) {
                httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN
                        , String.format("Does not allow query parameter: %s", this.queryParameter));
                return;
            }
        }
        chain.doFilter(request, response);
    }

    public void init(FilterConfig config) throws ServletException {
        this.queryParameter = config.getInitParameter("query-parameter");
    }

}

Here are a few screenshots of the filter in action:
Filter rejecting

Filter not rejecting