This week's giveaway is in the EJB and other Java EE Technologies forum. We're giving away four copies of EJB 3 in Action and have Debu Panda, Reza Rahman, Ryan Cuprak, and Michael Remijan on-line! See this thread for details.
If URL rewriting does kick in for the scheme change (http --> https), should i expect it to break my URLs by adding the ";jsessionId=xxxx"? and what can I do to prevent this? (servlet filter to intercept and strip this out)?
I would even appreciate an RTFM reference if this is too basic.
thanks in advance.
Joined: Dec 11, 2010
Sorry one more question to be complete-- is the behavior different when coming from https:// and redirecting (or forwarding??) to http://?
that is, is jsessionID (URL rewriting) used in the reverse direction or can the cookie be used? Can I force this?
You should never perform url rewriting yourself since they container can do it if you tell it to. If you are creating URLs in a Servlet, you should use the javax.servlet.http.HttpServletRequest encodeURL method. In a JSP you should use the JSTL url tag <c:url> example. These will automatically perform url rewriting if needed. If you use encodeURL or url tags anytime you have a link then you should be set.
Joined: Dec 11, 2010
Mike, thanks for your response.
You should never perform url rewriting
I plan to avoid this.
If you are creating URLs in a Servlet, ...
yes, this is my intent... I need to redirect from an insecure page to a secure login page (SSL) and then redirect to another secure page on success.
So does this mean that the same sessionId is used for both http and https? Meaning that a redirect from http --> https will be handled by the tag and container? I seemed to read somewhere that setting a new sessionId is a good idea for the secure component. I guess nothing is preventing me from setting a new cookie with a new (self generated) ID with quick expiration for the secure part and relying on that, right?
Also, is there a difference between <html:link> and <c:url>? do they do the same thing?