Taggart Gorman wrote:
> > -----Original Message-----
> > From: A mailing list about Java Server Pages specification
> > and reference
> > [mailto:[EMAIL PROTECTED]]On Behalf Of Craig R. McClanahan
> > Sent: Wednesday, March 24, 1999 5:36 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: getting access to HttpServletResponse
> >
> [...]
>
> > The "forwarding" is done by using the
> > ResourceDispatcher.forward() method (in
> > the 0.92 reference implementation). When released under the
> > 2.1 servlet API,
> > this call will become RequestDispatcher.forward() instead,
> > but it accomplishs
> > the same purpose. It acts a little like a redirect, except
> > there is no extra
> > round trip to the browser and thus no performance impact.
>
> The drawback I've found with the forward() method is that since there is no
> real redirect happening (but saving us the extra round trip) is that the url
> displayed for the forwarded page is really the URL of the initial page that
> was called.
>
> This can backfire on you and your users in the following situation:
>
> Your login page has a form with ACTION="/servlet/LoginServlet". When the
> user submits the form, the user's browser goes to the page
> "/servlet/LoginServlet". The servlet does it's work, and forwards to some
> other page, let's say your main menu page, but the user still sees the url
> of "/servlet/LoginServlet". So if they were to bookmark this new page,
> they'd really be bookmarking the servlet.
> So then you'd need to write code in the servlet to handle this possibility
> and blah, blah, blah. I've taken to avoiding servlets and forward() all
> together to avoid this.
>
Isn't that why you check the session to make sure they've logged in anyway
(that was the original scenario that triggered this thead)? Even if they see
and bookmark the correct URL and then jump to it, you are still going to throw
them back to the login screen anyway, aren't you? If you don't, then why
bother to have them log in at all?
Checking for this case is really simple -- especially if you use a single
servlet design that calls appropriate methods for all the different processing
requirements of your application, based on query parameters or extra path
info. Then you only have to check once, so it's no big deal. There are a
variety of techniques that make it simple even if you're not using a single
servlet approach.
Alternatively (and this works even with static HTML stuff), you can also use
frames, or open a window with no location field, so the user gets trained to
the fact that they cannot just jump in to the middle.
Craig McClanahan
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff JSP-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
