Getting off the topic of visible JSP source here, but ... Note that an HTTP redirect isn't just an additional header, it also means a different response status (302 Moved Temporarily instead of 200 OK).
I was under the impression that calling response.sendRedirect cleared the buffer and caused the reponse to be committed, and that further attempts to write to the response would throw an IllegalStateException. Is this not the case? I'm quite certain that it's not possible to do a response.sendRedirect if any of the body has been written to the client (this results, IIRC, in "IllegalStateException: response already committed"). So does the security issue mentioned below really exist? -john. -----Original Message----- From: Sean Utt [mailto:[EMAIL PROTECTED] Sent: Monday, January 19, 2004 11:27 PM To: Tomcat Users List Subject: Re: Mozilla showing JSP source code Hi, I used to see this when doing a response.sendRedirect() without following it with a return(), but didn't see jsp source, just html source. I did have a problem with mod_jk showing .jsp source when the URI contained a // in the path like http://dom.ain/context//file.jsp, but that sounds like a different problem and an upgrade of mod_jk fixed that. The redirect without return was a common problem in dreamweaver ultradev 4. response.sendRedirect() does not terminate execution of the servlet/jsp (nor should it), it just adds header content to the output. I.E. is being 'nice' by painting over the html of the page that sent the redirect with the html of the redirected page, but netscape/mozilla leaves the html from the redirecting page in the browser. A more serious issue is that if you are using response.sendRedirect() to send an unauthorized user to a login page, you are sending them the content you were trying to protect, and then telling them they need to log in to see it. Not at all secure. Though this is an overly simplistic analogy, think of a servlet/jsp as a dynamically loaded function being called by tomcat. This is why you can't call system.exit() in a servlet without terminating tomcat itself. Unless you tell the servlet to cease processing, it will happily continue doing what it does best -- outputting html. bottom line: if (not authorized) { response.sendRedirect(some location); return; // don't bother doing anything else } --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
