CODEWITHSUNDEEP
tomcatssl
user1362319
user1362319

Reputation: 21

Tomcat SSL POST request redirection

I have SSL set up under Tomcat and a port redirection for certain urls from http to https (using security-constraint). The redirection works, but all the original POST http requests get redirected as GET and so all the parameters from the original POSt request are lost.

How can the Connector be configured to keep POST request redirected as post?

thanks so much for any help!

Upvotes: 2

Views: 1300

Answers (1)

Bruno
Bruno

Reputation: 122729

It's generally bad practice to rely on redirects for upgrading every http:// link to https://: this is vulnerable to MITM attacks. Ideally, you should give your users the https:// link only (possibly with HSTS). (See this question on Webmasters.SE.)

The upgrade redirections are mainly there to mitigate the risks (assuming there is not MITM attacker in the first place), and to get the users used to seeing https://. They're ultimately the only ones who will be able to check that HTTPS is used. From your point of view, make sure all your own links to your HTTPS sections use https:// directly and don't rely on these redirections. (For this reason, I'd suggest not to enable the http->https redirects during development, and to make the HTTP addresses equivalent to those that are meant to be HTTPS only return 404: at least you'll know when it's meant to break.)

Coming back to the core of your question, you're certainly experiencing the Post/Redirect/Get pattern, which can be considered incompatible with the HTTP specifications (depending on how it's implemented and on which redirection codes you're using).

Besides the possible arguments regarding the correctness or usefulness of the Post/Redirect/Get pattern, you should fix this by not using a redirect but POSTing to an https:// URI directly (it's often better to use relative URLs within your site once you're using HTTPS). Remember that the content of the POST will be sent in the first request (before it gets the redirection from the server), so it would be visible by an eavesdropper, thereby making using HTTPS pointless (since it won't be used there).

Upvotes: 1

Related Questions