Abillity to hide URL post data


Web tier: servlets, JSP, Web frameworks: Abillity to hide URL post data

  1. Abillity to hide URL post data (2 messages)

    I've got a RouterServlet that does the following:

     public void doPost(HttpServletRequest request,HttpServletResponse response)
            throws ServletException, IOException {
        HttpSession session = request.getSession();
    LoginContext loginCtx = null;

    if (request.getServletPath().equals("/autologin.sec")){
    session.setAttribute("USER", myUserBean.getLoginName());

    String username ="theuser";
    String password="password";
    String req =
    "j_security_check?j_username=" + RequestUtils.encodeURL(username)
    + "&j_password=" + RequestUtils.encodeURL(password);


    The only problem is when the Browser is user, you can see the URL contents in the Address bar (i.e. "j_security_check?j_username=username&j_password=password"......

    Is there any way of passing the info to Authentication without the user seeing these details?

    Thx in advance....
  2. HttpServletResponse.sendRedirect() sends to a client 302 status code, which is interpreted by most browsers as "perform GET request using the URL provided in the Response.Location field". Even if it were a POST instead of GET, I guess the parameters would be visible anyway, because you added them explicitly to the URL as query parameters.

    You might want to use 307 code to perform a re-POST, but this code is not properly supported by all browsers:

      response.setHeader("Location", url)

    Or you might want to go the traditional way: to authenticate a user during processing of the first POST and to establish the session, then to redirect to the users home page or whatever it is. You would need to establish a session anyway, you are not going to send username and password with each request, are you?

    See more at:
  3. Of course, I meant
      response.setHeader("Location", url)