tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Crowther <>
Subject RE: post data lost when redirecting from http to https
Date Mon, 03 Mar 2008 09:17:31 GMT
> From: J. Zach []
> I have an jsp page page1.jsp with a form
> <form action="page2.jsp" method="post">...</form>
> When page2.jsp is secured in web.xml via security-constraint
> - transport
> confidential, the posted data from page1.jsp is lost on
> submit (it's simply missing missing in the request).

That's expected:

- The page submits to http://server:port/page2.jsp

- The server issues a 302 redirect to https://server:port/page2.jsp - before examining any
page content to find out there's a POST.  As your requirement is for confidentiality, this
is correct - the server *must not* require any of the content to be sent before making the
decision to redirect, or confidentiality could be broken.

- The browser acts on the redirect and issues a GET for the redirected page, hence without
the POST data.

> Without the constraint everything works,
> when changing action to https://server:port/page2.jsp it works too.

Yes, as the intermediate redirect will be missing.

> I'm wondering whether this could be a tomcat bug?

No, it's a feature of HTTP.  Change your form action (or set the entire site to be SSL).

                - Peter

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message