tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: From HTTP to HTTPS request.getHeader("referer")
Date Mon, 03 Nov 2014 15:34:24 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Léa,

On 11/2/14 10:07 AM, Léa Massiot wrote:
> Hello Mark, Chris and Terence. Thank you for your answers. After
> reading them and observing a few things I realized that my problem
> is not exactly the one I described at first.
> 
> 
> Christopher Schultz-2 wrote
>> The Referer is going to be the URL that was showing in the web
>> browser when the user clicked on the Submit button.
> 
> This is right. I hadn't noticed it but the URL which is showing is
> NOT https://host/webapp/example1.jsp. Instead, it is
> https://host/webapp/do_example. So, what I was describing as
> abnormal in my first post is actually normal.

Exactly.

> So the problem is coming from elsewhere...
> 
> Before I tried to make the webapp work with HTTPS, I was always
> using calls like these: 
> ----------------------------------------------------------------------
>
> 
response.sendRedirect("example1.jsp");

When sending redirects, you probably always want to:

1. Run the URL through response.encodeRedirectURL
2. Use a URL that starts with "/", which is easiest by doing this:

  String url = response.encodeRedirectURL(request.getContextPath()
                                          + "/example1.jsp"));

  response.sendRedirect(url);

> ----------------------------------------------------------------------
>
>  Last week, I replaced all these calls with these new ones: 
> ----------------------------------------------------------------------
>
> 
requestDispatcher =
> getServletContext().getRequestDispatcher("/example1.jsp"); 
> requestDispatcher.forward(request, response); 
> ----------------------------------------------------------------------
>
> 
(with the appropriate JSP of course).
> 
> I made that change because "sendRedirect()" didn't "work" with
> HTTPS.

Redirects definitely work with HTTPS. You must be doing something
wrong. Perhaps a configuration mistake with a port number or something
like that.

> I didn't mention this before because I thought it was solving this
> other problem. Instead, it provokes new ones.

Yup.

> What I actually would like is the webapp to behave like before:
> showing JSP page names in the URLs bar instead of "URL patterns": 
> in a given servlet, I generally have several "forward()" calls and
> hence several different ".jsp" pages to forward to depending on
> what happens inside the servlet. Having all of them replaced by
> something like "do_example" is kind of not what I had planned. It's
> definitely very problematic.

So use redirects. They should work and you should figure out why they
aren't working. Put your code back the way you had it, take more data,
and post a new question if you need help.

> So, hum, as I didn't asked it at the time: why can't I go on using 
> "sendRedirect()" along with HTTPS? If I have to use "forward()", is
> there any way I could make it behave the way I described above?

When you use a "forward", you will always end up with the URL the
client first used as what the client "sees". If you want to accept
data (e.g. POST) *and* prepare some data for the next screen to be
seen, consider a POST-then-redirect scheme:

1. Client POSTs to some URL e.g. /do_example
2. /do_example servlet runs and handles the POST data, then
redirect()s to /prepare_view
3. /prepare_view servlet runs and gathers whatever data is appropriate
for the next display screen and forward()s to /example1.jsp

After all that, the user is looking at the URL /prepare_view instead
of /do_example. That way, your referrer for the next POST will be
/prepare_view instead of /do_example.

> Is there another method I could use that would suit my needs?

Your only tools to transfer control (other than direct function calls)
are forward, redirect, and include.

> P.S. For the problem I was posting at first, as I don't really need
> to rely on the "referer" request header, I can instead, set a
> session attribute in each JSP. In "example1.jsp" for instance: 
> --------------------------------------------------------------------
>
> 
<c:set var="sessAtt"
> value="example1.jsp" scope="session"></c:set> 
> --------------------------------------------------------------------
>
> 
When in the "doPost()" method of the servlet, I'll know which JSP form what
> submitted...

What if the user hits the BACK button and looks at a previous page,
then re-submits that old page? Your server thinks that the source page
was "example1.jsp" but the client actually posted example0.jsp or
something else...

Web application workflow management is non-trivial.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUV6CAAAoJEBzwKT+lPKRY9zcQAIpXKkNLAq/TVtm9EiRkDHQs
boOAcbNluN0D9wK+V94aQTRF1iSFblpaNv6Tr/mmE3hM5c2tuUAxlq3tNAKz9zyn
ltzS8w87Zu7zad4i/kZZXKo3IpmpWz8NkWORlHwF4yQQUC/IhtYBxB7nq+7nVfDG
aSdKa77rBE6DHklBYutvjdDc2HeYx2B4IgzbYuPGBPEqMKASfhIoxRp51B/lwjEF
Zs4TTuiL4SziP/luFBV/GK5kFiPMsEyZhr3YmOi23z44doIgvet89nwOr6im8OEf
eFMIyBhos55A3Yc6NEREhyJSBbHbBHIV0cmXxS0qWrsMcj6BEn/Dl6tTyTKyWt1M
26mazb3SNQtj5kIk3PNndkRoW9jIhiJkgsBZM7CuOrTP/cUMysExGNmEWchccqJ+
jd3u0YW7H/B1fCANSThyLcPCzw4jSscwSE0plT0M/ZUAUF17adhizRsUuKXo7xyL
wPb0y+yqmWdtWLycNYv0VG2dp0YeBKuUZUocvBS5qQwLnUf22OsBJeK8AJKKnJ/2
sAYtN2QXiWEOfbheRuNOoDr9A6g1cCwkGKwiPUcJVWiOBLSeC8z9s5CAuRMIt++p
eg9d1IdaV0+IZoDJ4souYacqb8ALYl11f+FVavNkKjUDEw5yYpmJIFheCgwO5RHn
+4z7UNw4OsS3Jrp1hAoG
=JTv+
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message