GeeCON Prague 2014*
The moose likes Servlets and the fly likes HttpServletRequest - RequestDispatcher - Forward - is not using Constraint Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Java » Servlets
Bookmark "HttpServletRequest - RequestDispatcher - Forward - is not using Constraint" Watch "HttpServletRequest - RequestDispatcher - Forward - is not using Constraint" New topic
Author

HttpServletRequest - RequestDispatcher - Forward - is not using Constraint

Jeff Bradford
Greenhorn

Joined: Jan 24, 2003
Posts: 8
We have a Servlet that is being called via a standard POST (http).

The Servlet is doing a RequestDispatch FORWARD to a JSP. We would like that JSP to be called via HTTPS (SSL).

We have the Constraint in web.xml below in place, but it still uses http://localhost::8080 when routing to the JSP

<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted URLs</web-resource-name>
<url-pattern>/sso.jsp</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>


However, if you hit the JSP directly from the Browser it does switch the URL over to SSL.

Any ideas?


Thanks,
Jeff
Abimaran Kugathasan
Ranch Hand

Joined: Nov 04, 2009
Posts: 2066

I think, the web.xml security constraint is for direct access from client.


|BSc in Electronic Eng| |SCJP 6.0 91%| |SCWCD 5 92%|
Jeff Bradford
Greenhorn

Joined: Jan 24, 2003
Posts: 8
That appears to be true. I found this.

Security constraints work only on the original request URI and not on calls made through a RequestDispatcher (which include <jsp:include> and <jsp:forward>). Inside the application, it is assumed that the application itself has complete access to all resources and would not forward a user request unless it had decided that the requesting user also had access.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61299
    
  66

You cannot change the protocol midstream. The HTTP request has already been made, it can't be changed after-the-fact.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Jeff Bradford
Greenhorn

Joined: Jan 24, 2003
Posts: 8
We ended up turning on SSL for the entire site instead.

Hebert Coelho
Ranch Hand

Joined: Jul 14, 2010
Posts: 754

Haha, simple solution! ^^

gratz, Jeff Bradford


[uaiHebert.com] [Full WebApplication JSF EJB JPA JAAS with source code to download] One Table Per SubClass [Web/JSF]
Abimaran Kugathasan
Ranch Hand

Joined: Nov 04, 2009
Posts: 2066

Bear Bibeault wrote:You cannot change the protocol midstream. The HTTP request has already been made, it can't be changed after-the-fact.


Correct! Can't it redirect the client to request over SSL, if the request contains access to restricted resources implicitly?
 
GeeCON Prague 2014
 
subject: HttpServletRequest - RequestDispatcher - Forward - is not using Constraint