Microsoft007: Filters vs Interceptors in Java

🔍 1. Servlet Filters (javax.servlet.Filter)

Filter is a part of the Servlet API and is configured at the web container level. It sits before the servlet or controller is called.

🔧 Use Cases:

Logging request/response
Authentication
Compression
CORS
Request/response modification
Sanitizing inputs

📦 Example:

@Component
public class MyFilter implements Filter {
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        System.out.println("Before servlet execution");
        chain.doFilter(request, response); // continue chain
        System.out.println("After servlet execution");
    }
}

🚨 Characteristics:

Works on HttpServletRequest and HttpServletResponse
Can modify both request and response
Configured with @Component, FilterRegistrationBean, or web.xml
Executes before DispatcherServlet

🔍 2. Spring Interceptors (HandlerInterceptor)

An Interceptor is a part of the Spring MVC framework. It intercepts requests handled by Spring controllers (via HandlerMapping).

🔧 Use Cases:

Logging
Performance monitoring
Authorization checks
Pre/post controller logic

📦 Example:

@Component
public class MyInterceptor implements HandlerInterceptor {
    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
            throws Exception {
        System.out.println("Before Controller");
        return true; // continue request
    }

    @Override
    public void postHandle(HttpServletRequest request, HttpServletResponse response,
                           Object handler, ModelAndView modelAndView) throws Exception {
        System.out.println("After Controller, before view render");
    }

    @Override
    public void afterCompletion(HttpServletRequest request, HttpServletResponse response,
                                Object handler, Exception ex) throws Exception {
        System.out.println("After view render");
    }
}

And register it via:

@Configuration
public class WebConfig implements WebMvcConfigurer {
    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(new MyInterceptor());
    }
}

🚨 Characteristics:

Only intercepts Spring-managed requests
Cannot modify response body directly
Does not apply to static resources unless configured

🆚 Key Differences: Filters vs Interceptors

Feature	Filter	Interceptor
Part of	Servlet API (`javax.servlet`)	Spring MVC (`org.springframework.web.servlet`)
Scope	Web container	Spring controller layer
Order of execution	Before `DispatcherServlet`	After `DispatcherServlet`, before Controller
Targets	All requests	Only Spring controller requests
Can modify response?	Yes (request/response body)	Limited (can redirect or stop request)
Exception handling	Can catch all exceptions	Limited to Spring controller scope
Use for auth/logging?	Best for general auth, logging, CORS	Best for controller-specific logging, auth
Registration	`FilterRegistrationBean`, `@Component`	`WebMvcConfigurer#addInterceptors()`

✅ When to Use What?

Goal	Use This

Modify request/response streams Filter

CORS handling Filter

Authentication (general) Filter or Spring Security

Logging before/after controller Interceptor

Authorization (role-based) Interceptor or Spring Security

Request timing measurement Interceptor

🔹 1. What is a Filter and an Interceptor

Aspect	Filter	Interceptor
Definition	Filter is a Servlet component used to intercept HTTP requests/responses before they reach the Spring Framework.	Interceptor is a Spring MVC component used to intercept requests after they enter Spring, specifically before and after controller execution.
API	`javax.servlet.Filter`	`org.springframework.web.servlet.HandlerInterceptor`
Scope	Servlet-level (external to Spring)	Spring MVC level (internal to Spring)
Order of Execution	Executes before `DispatcherServlet`	Executes after `DispatcherServlet`, and before/after controller methods

🔹 2. Why Do We Use Filters and Interceptors?

Goal	Use Filter	Use Interceptor
Authentication (JWT/Token)	✅ Yes	❌ No (too late)
Authorization (role check)	❌ Not suitable	✅ Yes (can check user roles, handler info)
Logging (all requests/responses)	✅ Yes	✅ Yes (controller-specific logging)
Modifying request/response	✅ Yes	❌ No (read-only access)
Request timing measurement	❌ Not accurate	✅ Yes
CORS handling	✅ Yes	❌ No
View model injection	❌ No	✅ Yes (via `postHandle`)

🔹 3. Where Are They Applied in Spring Boot Lifecycle?

Client
 ↓
🧱 Filter (Servlet Layer)
 ↓
🚪 DispatcherServlet (Spring Entry Point)
 ↓
🧩 Interceptor (Spring MVC Layer)
 ↓
🎯 Controller
 ↓
🧠 Service Layer

Key Differences:
Aspect Filter Interceptor
Applies to All HTTP requests (static & dynamic) Only controller requests
Controller aware? ❌ No ✅ Yes
View aware? ❌ No ✅ Yes
Access to model and handler method ❌ No ✅ Yes

🔹 4. When to Use Filters vs Interceptors in Spring Boot?
✅ Use Filters When:
You need to authenticate a request before Spring gets involved (e.g., JWT check).
You need to apply CORS or security headers.
You want to log all HTTP traffic, even static resources.
You want to sanitize inputs before Spring processes them.
You want to modify request or response bodies or headers.

✅ Use Interceptors When:
You want to check permissions or roles before calling a controller.
You want to measure execution time of a specific controller.
You want to log controller-level details.
You want to inject common model attributes into the response (postHandle).

🔹 5. Code Examples in Spring Boot
✅ Filter Example – JwtAuthFilter.java
@Component
public class JwtAuthFilter implements Filter {
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {

        HttpServletRequest httpRequest = (HttpServletRequest) request;
        String authHeader = httpRequest.getHeader("Authorization");

        if (authHeader == null || !authHeader.startsWith("Bearer ")) {
            ((HttpServletResponse) response).setStatus(HttpServletResponse.SC_UNAUTHORIZED);
            return;
        }

        // Example: Token verification (pseudo-code)
        String token = authHeader.substring(7);
        if (!isValidToken(token)) {
            ((HttpServletResponse) response).setStatus(HttpServletResponse.SC_UNAUTHORIZED);
            return;
        }

        chain.doFilter(request, response); // continue filter chain
    }

    private boolean isValidToken(String token) {
        return token.equals("demo-token"); // Replace with real validation
    }
}
✅ Interceptor Example – RequestLoggingInterceptor.java
@Component
public class RequestLoggingInterceptor implements HandlerInterceptor {

    private long startTime;

    @Override
    public boolean preHandle(HttpServletRequest request,
                             HttpServletResponse response,
                             Object handler) {
        startTime = System.currentTimeMillis();
        System.out.println("Incoming request to: " + request.getRequestURI());
        return true;
    }

    @Override
    public void afterCompletion(HttpServletRequest request,
                                HttpServletResponse response,
                                Object handler,
                                Exception ex) {
        long duration = System.currentTimeMillis() - startTime;
        System.out.println("Completed in " + duration + " ms");
    }
}
Register the Interceptor in WebConfig.java:
@Configuration
public class WebConfig implements WebMvcConfigurer {
    @Autowired
    private RequestLoggingInterceptor requestLoggingInterceptor;

    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(requestLoggingInterceptor);
    }
}
🔹 6. Summary Table: Filters vs Interceptors in Spring Boot
Feature / Use Case Filter Interceptor
Technology Servlet API Spring MVC API
Entry Point Before DispatcherServlet After DispatcherServlet
Static Resource Coverage ✅ Yes ❌ No (only controller URLs)
Access Controller Details ❌ No ✅ Yes
Use for JWT Authentication ✅ Best suited ❌ Too late
Use for Role-Based Authorization ❌ No ✅ Yes
Modifying HTTP Body ✅ Yes ❌ No
Injecting Model Attributes ❌ No ✅ Yes (postHandle)
Logging (global) ✅ Good ✅ Controller-specific
✅ Final Recommendation:
Situation Use
Authenticating requests before Spring processes them Filter
Role-based access control for controller methods Interceptor
Adding security headers or handling CORS Filter
Logging execution time for controllers Interceptor
Preprocessing ALL HTTP requests Filter
Applying logic only for Spring Controllers Interceptor

Wednesday, 11 June 2025

Filters vs Interceptors in Java

🔧 Use Cases:

📦 Example:

🚨 Characteristics:

🔍 2. Spring Interceptors (HandlerInterceptor)

🔧 Use Cases:

📦 Example:

🚨 Characteristics:

🔹 2. Why Do We Use Filters and Interceptors?

Key Differences:

✅ Interceptor Example – `RequestLoggingInterceptor.java`

Register the Interceptor in `WebConfig.java`:

🔹 6. Summary Table: Filters vs Interceptors in Spring Boot

✅ Final Recommendation:

No comments:

Post a Comment