Abillity to hide URL post data

Discussions

Web tier: servlets, JSP, Web frameworks: Abillity to hide URL post data

  1. Abillity to hide URL post data (2 messages)

    I've got a RouterServlet that does the following:

     public void doPost(HttpServletRequest request,HttpServletResponse response)
            throws ServletException, IOException {
         
       request.getSession(true).invalidate();
          
        HttpSession session = request.getSession();
    LoginContext loginCtx = null;

    if (request.getServletPath().equals("/autologin.sec")){
    session.setAttribute("USER", myUserBean.getLoginName());

    String username ="theuser";
    String password="password";
    String req =
    "j_security_check?j_username=" + RequestUtils.encodeURL(username)
    + "&j_password=" + RequestUtils.encodeURL(password);


    response.sendRedirect(response.encodeRedirectURL(req));

    The only problem is when the Browser is user, you can see the URL contents in the Address bar (i.e. "j_security_check?j_username=username&j_password=password"......

    Is there any way of passing the info to Authentication without the user seeing these details?

    Thx in advance....
  2. HttpServletResponse.sendRedirect() sends to a client 302 status code, which is interpreted by most browsers as "perform GET request using the URL provided in the Response.Location field". Even if it were a POST instead of GET, I guess the parameters would be visible anyway, because you added them explicitly to the URL as query parameters.

    You might want to use 307 code to perform a re-POST, but this code is not properly supported by all browsers:


      response.setStatus(response.SC_MOVED_TEMPORARILY);
      response.setHeader("Location", url)


    Or you might want to go the traditional way: to authenticate a user during processing of the first POST and to establish the session, then to redirect to the users home page or whatever it is. You would need to establish a session anyway, you are not going to send username and password with each request, are you?

    See more at:
    http://www.informit.com/articles/printerfriendly.asp?p=29817
    http://ppewww.ph.gla.ac.uk/~flavell/www/post-redirect.html
  3. Of course, I meant
    <code>
      response.setStatus(response.SC_TEMPORARY_REDIRECT);
      response.setHeader("Location", url)
    </code>