Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 36373 invoked from network); 3 Mar 2008 10:30:04 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 3 Mar 2008 10:30:04 -0000 Received: (qmail 73308 invoked by uid 500); 3 Mar 2008 10:29:47 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 73284 invoked by uid 500); 3 Mar 2008 10:29:47 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 73273 invoked by uid 99); 3 Mar 2008 10:29:47 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Mar 2008 02:29:47 -0800 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: 24.24.2.59 is neither permitted nor denied by domain of dns4@cornell.edu) Received: from [24.24.2.59] (HELO ms-smtp-05.nyroc.rr.com) (24.24.2.59) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Mar 2008 10:29:12 +0000 Received: from [192.168.5.102] (cpe-24-59-111-127.twcny.res.rr.com [24.59.111.127]) by ms-smtp-05.nyroc.rr.com (8.13.6/8.13.6) with ESMTP id m23ATKIE000251 for ; Mon, 3 Mar 2008 05:29:20 -0500 (EST) Message-ID: <47CBD300.1040703@cornell.edu> Date: Mon, 03 Mar 2008 05:29:20 -0500 From: David Smith User-Agent: Thunderbird 1.5 (X11/20051201) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: post data lost when redirecting from http to https References: <15799796.post@talk.nabble.com> <6715CF65287F8F408DA109EC03AC6C0D03C63AD3E2@puma.melandra.net> In-Reply-To: <6715CF65287F8F408DA109EC03AC6C0D03C63AD3E2@puma.melandra.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: Symantec AntiVirus Scan Engine X-Virus-Checked: Checked by ClamAV on apache.org I would add if you are serious about customer confidence in your site, the form should be encrypted on SSL in addition to the form's target. I for one would simply go somewhere else if I was asked to enter payment info and the form page wasn't encrypted. --David Peter Crowther wrote: >> From: J. Zach [mailto:zach@centrum.cz] >> I have an jsp page page1.jsp with a form >> >> >> >> When page2.jsp is secured in web.xml via security-constraint >> - transport >> confidential, the posted data from page1.jsp is lost on >> submit (it's simply missing missing in the request). >> > > That's expected: > > - The page submits to http://server:port/page2.jsp > > - The server issues a 302 redirect to https://server:port/page2.jsp - before examining any page content to find out there's a POST. As your requirement is for confidentiality, this is correct - the server *must not* require any of the content to be sent before making the decision to redirect, or confidentiality could be broken. > > - The browser acts on the redirect and issues a GET for the redirected page, hence without the POST data. > > >> Without the constraint everything works, >> when changing action to https://server:port/page2.jsp it works too. >> > > Yes, as the intermediate redirect will be missing. > > >> I'm wondering whether this could be a tomcat bug? >> > > No, it's a feature of HTTP. Change your form action (or set the entire site to be SSL). > > - Peter > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org