• Post Reply Bookmark Topic Watch Topic
  • New Topic

IE & FireFox use GET after HTTPS redirect with TOMCAT 7

 
Ahmed Samir
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Dear All,

I have a simple application ( only 2 JSPs files and one servlet the main components the whole webapp directory is attached ), I am using security constraint to redirect the user to HTTPS instead of HTTP when he submit from first page to the second page.
The problem is when the user submit the first page I get the error HTTP Status 405 - HTTP method GET is not supported by this URL although I m using only POST.
I have traced the firefox browser using httpfox and the result was the first HTTP request was done using POST correctly but after redirect the browser send GET.
This problem appears with FireFOx and IE but doesnot appear with google chrome.

index.jsp




Hellotest.java



Regards
 
Paul Clapham
Sheriff
Posts: 21875
36
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I don't understand the question; the code you posted doesn't do a redirect. You have a comment which suggests that a redirect is about to happen, but the following code does a forward and not a redirect.
 
Ahmed Samir
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The redirect is done automatically by tomcat because I have added security constraints to /hello url-pattern in the web.xml find it below
<?xml version="1.0" encoding="UTF-8"?>
<web-app
xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<servlet>
<servlet-name>chapter1</servlet-name>
<servlet-class>com.ahmed.ch1.helloTest</servlet-class>
<init-param>
<param-name>adminMail</param-name>
<param-value>ahmed_S_E@YAHOO.COM</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>chapter1</servlet-name>
<url-pattern>/hello</url-pattern>
</servlet-mapping>
<context-param>
<param-name>globalSupport</param-name>
<param-value>+201224243847</param-value>
</context-param>
<listener>
<listener-class>
com.ahmed.list.Mylist
</listener-class>
</listener>
<session-config>
<session-timeout>1</session-timeout>
</session-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>dataProtect</web-resource-name>
<url-pattern>/hello</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
</web-app>
 
Paul Clapham
Sheriff
Posts: 21875
36
Eclipse IDE Firefox Browser MySQL Database
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well, that's interesting. I googled to find out about <transport-guarantee>CONFIDENTIAL</transport-guarantee> and everything I found just said that the server should automatically redirect to the same URL only with HTTPS instead of HTTP. By the way that means that your servlet code won't be run before the redirect, because the server intercepts the HTTP request and redirects instead of calling your servlet. But that isn't the issue here.

As far as I can see, the issue is that some of the browsers are reacting to the redirect request by sending another request using the GET method, which of course is a problem. But the servlet specification (and everything else I read about it) completely fails to mention this issue. Which suggests to me that everybody is expecting a redirected POST message to be another POST message.

So I looked at the Wikipedia article HTTP 302. It mentions that changing the request type of the message from POST to GET was incorrect in HTTP 1.0 but that several browsers did that anyway. But now it's correct in HTTP 1.1 and servers have to use the 307 response code to tell the browser to preserve the request type.

So: Is HTTP 1.1 being used here? And are you getting 302 or 307 in the browser from your Tomcat server in this situation?
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!