tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Crowther <Peter.Crowt...@melandra.com>
Subject RE: post data lost when redirecting from http to https
Date Mon, 03 Mar 2008 09:17:31 GMT
> From: J. Zach [mailto:zach@centrum.cz]
> I have an jsp page page1.jsp with a form
>
> <form action="page2.jsp" method="post">...</form>
>
> When page2.jsp is secured in web.xml via security-constraint
> - transport
> confidential, the posted data from page1.jsp is lost on
> submit (it's simply missing missing in the request).

That's expected:

- The page submits to http://server:port/page2.jsp

- The server issues a 302 redirect to https://server:port/page2.jsp - before examining any
page content to find out there's a POST.  As your requirement is for confidentiality, this
is correct - the server *must not* require any of the content to be sent before making the
decision to redirect, or confidentiality could be broken.

- The browser acts on the redirect and issues a GET for the redirected page, hence without
the POST data.

> Without the constraint everything works,
> when changing action to https://server:port/page2.jsp it works too.

Yes, as the intermediate redirect will be missing.

> I'm wondering whether this could be a tomcat bug?

No, it's a feature of HTTP.  Change your form action (or set the entire site to be SSL).

                - Peter

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message