wood burning stoves 2.0*
The moose likes Servlets and the fly likes HttpServletRequest - RequestDispatcher - Forward - is not using Constraint Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "HttpServletRequest - RequestDispatcher - Forward - is not using Constraint" Watch "HttpServletRequest - RequestDispatcher - Forward - is not using Constraint" New topic
Author

HttpServletRequest - RequestDispatcher - Forward - is not using Constraint

Jeff Bradford
Greenhorn

Joined: Jan 24, 2003
Posts: 8
We have a Servlet that is being called via a standard POST (http).

The Servlet is doing a RequestDispatch FORWARD to a JSP. We would like that JSP to be called via HTTPS (SSL).

We have the Constraint in web.xml below in place, but it still uses http://localhost::8080 when routing to the JSP

<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted URLs</web-resource-name>
<url-pattern>/sso.jsp</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>


However, if you hit the JSP directly from the Browser it does switch the URL over to SSL.

Any ideas?


Thanks,
Jeff
Abimaran Kugathasan
Ranch Hand

Joined: Nov 04, 2009
Posts: 2066

I think, the web.xml security constraint is for direct access from client.


|BSc in Electronic Eng| |SCJP 6.0 91%| |SCWCD 5 92%|
Jeff Bradford
Greenhorn

Joined: Jan 24, 2003
Posts: 8
That appears to be true. I found this.

Security constraints work only on the original request URI and not on calls made through a RequestDispatcher (which include <jsp:include> and <jsp:forward>). Inside the application, it is assumed that the application itself has complete access to all resources and would not forward a user request unless it had decided that the requesting user also had access.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60775
    
  65

You cannot change the protocol midstream. The HTTP request has already been made, it can't be changed after-the-fact.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Jeff Bradford
Greenhorn

Joined: Jan 24, 2003
Posts: 8
We ended up turning on SSL for the entire site instead.

Hebert Coelho
Ranch Hand

Joined: Jul 14, 2010
Posts: 754

Haha, simple solution! ^^

gratz, Jeff Bradford


[uaiHebert.com] [Full WebApplication JSF EJB JPA JAAS with source code to download] One Table Per SubClass [Web/JSF]
Abimaran Kugathasan
Ranch Hand

Joined: Nov 04, 2009
Posts: 2066

Bear Bibeault wrote:You cannot change the protocol midstream. The HTTP request has already been made, it can't be changed after-the-fact.


Correct! Can't it redirect the client to request over SSL, if the request contains access to restricted resources implicitly?
 
 
subject: HttpServletRequest - RequestDispatcher - Forward - is not using Constraint
 
Similar Threads
JBOSS web logon not redirecting from port 8080 to 8443 at login
OutputStream writing and SSL
How to remove the port number in https adress?
response.sendRedirect(Url)
Security issue