tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Smith <d...@cornell.edu>
Subject Re: post data lost when redirecting from http to https
Date Mon, 03 Mar 2008 10:29:20 GMT
I would add if you are serious about customer confidence in your site, 
the form should be encrypted on SSL in addition to the form's target.  I 
for one would simply go somewhere else if I was asked to enter payment 
info and the form page wasn't encrypted.

--David

Peter Crowther wrote:
>> From: J. Zach [mailto:zach@centrum.cz]
>> I have an jsp page page1.jsp with a form
>>
>> <form action="page2.jsp" method="post">...</form>
>>
>> When page2.jsp is secured in web.xml via security-constraint
>> - transport
>> confidential, the posted data from page1.jsp is lost on
>> submit (it's simply missing missing in the request).
>>     
>
> That's expected:
>
> - The page submits to http://server:port/page2.jsp
>
> - The server issues a 302 redirect to https://server:port/page2.jsp - before examining
any page content to find out there's a POST.  As your requirement is for confidentiality,
this is correct - the server *must not* require any of the content to be sent before making
the decision to redirect, or confidentiality could be broken.
>
> - The browser acts on the redirect and issues a GET for the redirected page, hence without
the POST data.
>
>   
>> Without the constraint everything works,
>> when changing action to https://server:port/page2.jsp it works too.
>>     
>
> Yes, as the intermediate redirect will be missing.
>
>   
>> I'm wondering whether this could be a tomcat bug?
>>     
>
> No, it's a feature of HTTP.  Change your form action (or set the entire site to be SSL).
>
>                 - Peter
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>   


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message