tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sean Utt" <>
Subject Re: Mozilla showing JSP source code
Date Tue, 20 Jan 2004 04:27:18 GMT

I used to see this when doing a response.sendRedirect() without following it
with a return(), but didn't see jsp source, just html source. I did have a
problem with mod_jk showing .jsp source when the URI contained a // in the
path like http://dom.ain/context//file.jsp, but that sounds like a different
problem and an upgrade of mod_jk fixed that.

The redirect without return was a common problem in dreamweaver ultradev 4.
response.sendRedirect() does not terminate execution of the servlet/jsp (nor
should it), it just adds header content to the output. I.E. is being 'nice'
by painting over the html of the page that sent the redirect with the html
of the redirected page, but netscape/mozilla leaves the html from the
redirecting page in the browser. A more serious issue is that if you are
using response.sendRedirect() to send an unauthorized user to a login page,
you are sending them the content you were trying to protect, and then
telling them they need to log in to see it. Not at all secure.

Though this is an overly simplistic analogy, think of a servlet/jsp as a
dynamically loaded function being called by tomcat. This is why you can't
call system.exit() in a servlet without terminating tomcat itself. Unless
you tell the servlet to cease processing, it will happily continue doing
what it does best -- outputting html.

bottom line:

if (not authorized) {
response.sendRedirect(some location);
return; // don't bother doing anything else

If you opened any jdbc connections be sure to close them before returning.


Web Solutions That Work Developing custom web solutions designed
specifically to accomplish the unique objectives of our clients. Phone
503-639-2727 Fax 503-639-0807
----- Original Message ----- 
From: Guy Rouillier []
Sent: Monday, January 19, 2004 5:36 PM
To: Tomcat Users List
Subject: Mozilla showing JSP source code


(4) The most reliable way to see this fail is via a redirect.  This
happens most frequently on the secure half of our website (https).  On
those pages, we have an authentication header at the top of each page:

<%@ include file="/includes/authenheader.jspf" %>

Inside this file, we check some session variables, and if they don't
have the right set of values (or those values don't exist) we
response.sendRedirect() to a login page.  During this redirect, I
*always* see the source for the login page - the login page has not come
up cleanly one time.  This page is very small, and neither the buffer or
timeout changes help.

If anyone has any ideas on how to address this problem, I'm willing to
try anything.  I really am out of ideas and don't know where to go next.
Thanks for any help.

Guy Rouillier

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message