Servlet Filters and Servlet Listeners are both powerful tools — but they serve very different purposes.
Let’s break it down:
🧭 TL;DR: When to Use What
| Feature | Use Filters When… | Use Listeners When… |
|---|---|---|
| 🔁 Request/Response | You want to modify or intercept requests/responses | You want to observe events in the lifecycle (app/session/etc.) |
| 🔐 Authentication | You need to check user access before a servlet executes | Not suitable |
| 📦 Logging | Log every request’s data (headers, method, URI, etc.) | Log when app starts, sessions created/destroyed, etc. |
| 🧪 Analytics | Track request metrics (time taken, response codes) | Count sessions, users, memory usage, app load time |
| 💾 Data setup/cleanup | Set request-specific variables, wrap responses | Initialize global resources (DB pools, caches) |
| 🧠 Lifecycle hooks | Not meant for app/session lifecycle | Perfect for lifecycle (context/session/request start/end) |
| 🧱 Attribute changes | Not applicable | Use HttpSessionAttributeListener, etc. |
🔍 In Detail
✅ Use Servlet Filters When:
- You need to intercept and possibly modify the request/response
- You want to implement:
- Authentication & authorization (
/admin/*) - Logging of request/response data
- CORS handling
- Compression (like GZIP)
- Input validation/sanitization (e.g. strip XSS)
- Authentication & authorization (
Example: Auth Filter
@WebFilter("/secure/*")
public class AuthFilter implements Filter {
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
if (request.getSession().getAttribute("user") == null) {
((HttpServletResponse) res).sendRedirect("/login");
} else {
chain.doFilter(req, res);
}
}
}
✅ Use Servlet Listeners When:
- You want to observe lifecycle events — like:
- Application startup/shutdown
- User session creation and expiration
- Attributes added/removed from context, session, or request
Example: Session Tracker Listener
@WebListener
public class SessionListener implements HttpSessionListener {
public void sessionCreated(HttpSessionEvent event) {
System.out.println("Session created");
}
public void sessionDestroyed(HttpSessionEvent event) {
System.out.println("Session destroyed");
}
}
🚀 Real-World Use Case Comparison
| Use Case | Use Filter? | Use Listener? | Notes |
|---|---|---|---|
| Block unauthenticated users | ✅ Yes | ❌ No | Filters can inspect request and block it |
| Count number of active sessions | ❌ No | ✅ Yes | Use HttpSessionListener |
| Log every request URI | ✅ Yes | ❌ No | Filters wrap around servlet calls |
| Initialize DB connection pool | ❌ No | ✅ Yes | Use ServletContextListener at app startup |
| Track attribute changes in session | ❌ No | ✅ Yes | Use HttpSessionAttributeListener |
| Apply gzip compression | ✅ Yes | ❌ No | Wrap HttpServletResponse in filter |
✅ Rule of Thumb
- Use filters to interact with requests/responses
- Use listeners to observe lifecycle and state changes