Reputation: 67
Hide querystring parameters from url in response.sendRedirect
I have a java servlet that is redirecting to a web application on a different server.
I was wondering if there is a way to hide the querystring parameters, so they are not visible to the client in the address bar.
response.sendRedirect("http://www.mywebapp.com/login.html?parameter1=value1¶meter2=value2");
Is there a way to force the sendRedirect to POST to the page and hide the querystring?
Edit: use case.
- A user goes to http://www.mywebapp.com
- They are automatically redirected to my servlet filter
- The servlet handles SSO to an Identity provider using SAML
- Once it recieves the SAML response back, I redirect the now authenticated user back to mywebapp.com
- I want to pass some parameters back to the webapp. Parameters from the SAML response. But I don't want the user to see them in the URL
Clearly, sendRedirect() is not what I want. What would be the best way to handle this?
Upvotes: 1
Views: 5083
Answers (4)
Reputation: 1
I found a way for hiding any string from Java or Android project with concept of inner classes using proguard to hide them a class is my server side processing
Upvotes: 0
Reputation: 240996
You can forward the request from server side and then at the end redirect to some other page
Upvotes: 0
Reputation: 24895
You could connect to the other server from your servlet (HttpConnection) and copy the returned data. The user will only see your server.
An alternative is returning an HTML page that does send a POST form automatically after loading. The user will need to allow JS.
Upvotes: 0
Reputation: 341003
No, you can't use POST in this scenario. When calling sendRedirect() this is what you send back to the client:
HTTP/1.1 302 Found
Location: http://www.mywebapp.com/login.html?parameter1=value1¶meter2=value2
Browser interprets this and points user to that location.
Something tells me (maybe login.html name and two parameters) that you want to automatically login user on some web site). Don't go this way, sending username/password (both using GET parameters and inside POST) is really insecure.
Without knowing much about your use case it's probably the best solution to call http://www.mywebapp.com/login.html from your servlet, parse the response and return it to the user (so he will never really see mywebapp in his browser.
Upvotes: 1
Related Questions
- Pass Hidden parameters using response.sendRedirect()
- Modify request parameter with servlet filter
- My method for hidden parameters using response.sendRedirect().. is it ok?
- How to hide passed request parameters from the user?
- query string and parameter map in the redirected url is null
- How to preserve request body on performing HTTP redirect from servlet filter
- How to pass parameters to JSP using response.sendRedirect?
- Using sendRedirect inside a servlet forwarded with request dispatcher
- How to redirect request from a filter to desired servlet with post DataParameter?
- Java Servlet Filter redirect problem