How to exclude a URL from a Servlet Filter

By default, servlet filters don’t support excluding a specific URL pattern, whenever you define a URL pattern for a filter then any request matching this pattern is processed by the filter without exceptions.

In this tutorial, we show how to programmatically add an exclude functionality to an existing servlet filter.

1- Adding exclude functionality to a custom Filter

Suppose we have an existing web application that authenticates user requests through LDAP. All the servlet requests pass through LDAPAuthenticationFilter which is mapped to /* as the following:

Our filter simply authenticates the request and calls chain.doFilter() afterwards:

Now, suppose we want to create a servlet which requires a simple database authentication and needs not to pass through LDAP. The first thing we think of is to create a new filter and map it to the specific URL pattern of the new servlet.

So we create a new filter named as DatabaseAuthenticationFilter which simply authenticates the request through the database and calls chain.doFilter() afterwards:

We define our filter under web.xml to handle only specific URLs starting with /DatabaseAuthenticatedServlet:

The problem here is that requests like /DatabaseAuthenticatedServlet would also match the root URL pattern “/*”, i.e. our request would pass through 2 authentication processes: LDAP and Database, the ordering depends on which filter is defined first under web.xml.

In order to solve this, we need to modify LDAPAuthenticationFilter so that it excludes URLs starting with /DatabaseAuthenticatedServlet. What people normally do is statically check over the servlet URL of the request inside doFilter() method and simply bypass the authentication process when found.

Here we go a step further and implement a more dynamic solution that allows us to manage the excluded URLs through web.xml.

Following are the steps for adding the exclude feature to LDAPAuthenticationFilter:

  • Add a new field called excludedUrls of type List<String>:
  • Inside init() method, read a configuration attribute called excludedUrls using FilterConfig, the attribute is supposed to be comma-separated so that we exclude as much URLs as we need.
  • Modify doFilter() in order to check if the requested URL belongs to the list of predefined excluded URLs, if so then just forward the request to the next filter or servlet in the chain, otherwise do your authentication logic.
  • Now inside web.xml, you can control which URL to exclude from LDAP authentication without any single code change:

This is how LDAPAuthenticationFilter looks like after adding the exclude functionality:

2- Adding exclude functionality to a third-party Filter

The third-party filters are the filters that you can’t control. i.e. you can’t modify their source code.

In this section, we alter our example a bit and use CAS authentication instead of LDAP. This is how we define our CAS authentication filter in web.xml:

CAS authentication is done through a third-party library, now in order to support database authentication we can’t modify the source code of CAS as we did in the previous example with LDAP.

The solution for excluding URLs from a third-party filter is to wrap it with a new custom filter which just adds the exclude functionality and delegates the filter logic to the wrapped class.

Following are the steps for adding exclude functionality to CAS authentication:

  • Create a new filter called CASCustomAuthenticationFilter as the following:

    Our custom filter wraps the CAS authentication filter through composition, its main purpose is to just manage which URLs to be authenticated through CAS , while we didn’t touch the CAS authentication procedure.
  • In web.xml, we change the filter definition to use CASCustomAuthenticationFilter instead of the default CAS implementation:

That’s it, please leave your thoughts in the comments section below.

5 1 vote
Article Rating

Hussein Terek

Owner of, I have a passion for software engineering and everything related to Java environment.

Inline Feedbacks
View all comments