tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hume, John - NA US HQ Delray" <>
Subject RE: Mozilla showing JSP source code
Date Tue, 20 Jan 2004 16:01:55 GMT
Getting off the topic of visible JSP source here, but ...

Note that an HTTP redirect isn't just an additional header, it also means a
different response status (302 Moved Temporarily instead of 200 OK).  

I was under the impression that calling response.sendRedirect cleared the
buffer and caused the reponse to be committed, and that further attempts to
write to the response would throw an IllegalStateException.  Is this not the

I'm quite certain that it's not possible to do a response.sendRedirect if
any of the body has been written to the client (this results, IIRC, in
"IllegalStateException: response already committed").  

So does the security issue mentioned below really exist?


-----Original Message-----
From: Sean Utt []
Sent: Monday, January 19, 2004 11:27 PM
To: Tomcat Users List
Subject: Re: Mozilla showing JSP source code


I used to see this when doing a response.sendRedirect() without following it
with a return(), but didn't see jsp source, just html source. I did have a
problem with mod_jk showing .jsp source when the URI contained a // in the
path like http://dom.ain/context//file.jsp, but that sounds like a different
problem and an upgrade of mod_jk fixed that.

The redirect without return was a common problem in dreamweaver ultradev 4.
response.sendRedirect() does not terminate execution of the servlet/jsp (nor
should it), it just adds header content to the output. I.E. is being 'nice'
by painting over the html of the page that sent the redirect with the html
of the redirected page, but netscape/mozilla leaves the html from the
redirecting page in the browser. A more serious issue is that if you are
using response.sendRedirect() to send an unauthorized user to a login page,
you are sending them the content you were trying to protect, and then
telling them they need to log in to see it. Not at all secure.

Though this is an overly simplistic analogy, think of a servlet/jsp as a
dynamically loaded function being called by tomcat. This is why you can't
call system.exit() in a servlet without terminating tomcat itself. Unless
you tell the servlet to cease processing, it will happily continue doing
what it does best -- outputting html.

bottom line:

if (not authorized) {
response.sendRedirect(some location);
return; // don't bother doing anything else

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message