rpmjp/portfolio
rpmjp/projects/student-management-system/AuthFilter.java
CompletedApril to May 2026

AI-powered Student Management System

Production-grade full-stack platform with role-based portals, real-time analytics, and a Random Forest model that predicts academic risk with 96% accuracy.

Java 21Jakarta EEMySQL 8PythonFlaskscikit-learnTomcat 10
Languages
Java85.3%
CSS10.8%
Python2.8%
Other1.1%
AuthFilter.java
package com.robertjp.util;

import com.robertjp.model.User;

import jakarta.servlet.*;
import jakarta.servlet.annotation.WebFilter;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.servlet.http.HttpSession;

import java.io.IOException;

/**
 * AuthFilter: single choke point for role-based access control across the
 * entire application. Mapped to /* via @WebFilter, it intercepts every
 * request before it reaches any servlet.
 *
 * Three decisions happen here, in order:
 *   1. Public resources (login page, /api/*, static CSS/JS/images) pass
 *      through without auth checks.
 *   2. Unauthenticated requests get redirected to /login. JSP files are
 *      allowed through because they're already protected by their parent
 *      servlet route.
 *   3. Authenticated requests get routed by role: students can only access
 *      /portal/*, staff can only access everything else. Cross-role access
 *      attempts redirect to the correct landing page instead of erroring.
 *
 * Centralizing this here means there's exactly one place to audit access
 * control rules, and no servlet can accidentally skip them.
 */
@WebFilter("/*")
public class AuthFilter implements Filter {

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {

        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse res = (HttpServletResponse) response;
        String uri = req.getRequestURI();
        String contextPath = req.getContextPath();
        String path = uri.substring(contextPath.length());

        // Public resources - no login required
        if (path.equals("") || path.equals("/") ||
                path.equals("/login") || path.equals("/login.jsp") ||
                path.startsWith("/api/") ||
                path.endsWith(".css") || path.endsWith(".js") ||
                path.endsWith(".png") || path.endsWith(".jpg") || path.endsWith(".ico")) {
            chain.doFilter(request, response);
            return;
        }

        HttpSession session = req.getSession(false);
        User user = (session != null) ? (User) session.getAttribute("user") : null;

        // Not logged in
        if (user == null) {
            if (path.endsWith(".jsp")) {
                chain.doFilter(request, response);
                return;
            }
            res.sendRedirect(contextPath + "/login");
            return;
        }

        // Student trying to access staff pages
        if (user.isStudent() && !path.startsWith("/portal") && !path.equals("/login") && !path.equals("/change-password") && !path.endsWith(".jsp")) {
            res.sendRedirect(contextPath + "/portal/home");
            return;
        }

        // Staff trying to access student portal
        if (!user.isStudent() && path.startsWith("/portal")) {
            res.sendRedirect(contextPath + "/dashboard");
            return;
        }

        chain.doFilter(request, response);
    }
}