Abillity to hide URL post data

Home
>Discussions
>Web tier: servlets, JSP, Web frameworks
> Abillity to hide URL post data

Discussions

Web tier: servlets, JSP, Web frameworks: Abillity to hide URL post data

Abillity to hide URL post data (2 messages)
- Posted by: Michael Radeka
- Posted on: November 18 2004 00:41 EST
I've got a RouterServlet that does the following:

public void doPost(HttpServletRequest request,HttpServletResponse response)
        throws ServletException, IOException {

   request.getSession(true).invalidate();

    HttpSession session = request.getSession();
LoginContext loginCtx = null;

if (request.getServletPath().equals("/autologin.sec")){
session.setAttribute("USER", myUserBean.getLoginName());

String username ="theuser";
String password="password";
String req =
"j_security_check?j_username=" + RequestUtils.encodeURL(username)
+ "&j_password=" + RequestUtils.encodeURL(password);

response.sendRedirect(response.encodeRedirectURL(req));

The only problem is when the Browser is user, you can see the URL contents in the Address bar (i.e. "j_security_check?j_username=username&j_password=password"......

Is there any way of passing the info to Authentication without the user seeing these details?

Thx in advance....

Reply to this
Threaded Messages (2)
- Authenticate when processing POST by Michael Jouravlev on November 18 2004 16:41 EST
  - Authenticate when processing POST by Michael Jouravlev on November 18 2004 17:33 EST
Authenticate when processing POST[ Go to top ]
- Posted by: Michael Jouravlev
- Posted on: November 18 2004 16:41 EST
- in response to Michael Radeka
HttpServletResponse.sendRedirect() sends to a client 302 status code, which is interpreted by most browsers as "perform GET request using the URL provided in the Response.Location field". Even if it were a POST instead of GET, I guess the parameters would be visible anyway, because you added them explicitly to the URL as query parameters.

You might want to use 307 code to perform a re-POST, but this code is not properly supported by all browsers:

response.setStatus(response.SC_MOVED_TEMPORARILY);
response.setHeader("Location", url)

Or you might want to go the traditional way: to authenticate a user during processing of the first POST and to establish the session, then to redirect to the users home page or whatever it is. You would need to establish a session anyway, you are not going to send username and password with each request, are you?

See more at:
http://www.informit.com/articles/printerfriendly.asp?p=29817
http://ppewww.ph.gla.ac.uk/~flavell/www/post-redirect.html

Reply to this Reply to original
Authenticate when processing POST[ Go to top ]
- Posted by: Michael Jouravlev
- Posted on: November 18 2004 17:33 EST
- in response to Michael Jouravlev
Of course, I meant
<code>
response.setStatus(response.SC_TEMPORARY_REDIRECT);
response.setHeader("Location", url)
</code>

Reply to this Reply to original

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site | Media Kits | Reprints | Site Map

TechTarget - The IT Media ROI Experts

Discussions

Web tier: servlets, JSP, Web frameworks: Abillity to hide URL post data

Abillity to hide URL post data (2 messages)

Threaded Messages (2)

Authenticate when processing POST[ Go to top ]

Authenticate when processing POST[ Go to top ]