Yeah, like Peter says. The original form is what should be under SSL, presumably.
Chad > From: [EMAIL PROTECTED] > To: users@tomcat.apache.org > Date: Mon, 3 Mar 2008 09:17:31 +0000 > Subject: RE: post data lost when redirecting from http to https > > > From: J. Zach [mailto:[EMAIL PROTECTED] > > I have an jsp page page1.jsp with a form > > > > <form action="page2.jsp" method="post">...</form> > > > > When page2.jsp is secured in web.xml via security-constraint > > - transport > > confidential, the posted data from page1.jsp is lost on > > submit (it's simply missing missing in the request). > > That's expected: > > - The page submits to http://server:port/page2.jsp > > - The server issues a 302 redirect to https://server:port/page2.jsp - before > examining any page content to find out there's a POST. As your requirement > is for confidentiality, this is correct - the server *must not* require any > of the content to be sent before making the decision to redirect, or > confidentiality could be broken. > > - The browser acts on the redirect and issues a GET for the redirected page, > hence without the POST data. > > > Without the constraint everything works, > > when changing action to https://server:port/page2.jsp it works too. > > Yes, as the intermediate redirect will be missing. > > > I'm wondering whether this could be a tomcat bug? > > No, it's a feature of HTTP. Change your form action (or set the entire site > to be SSL). > > - Peter > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > _________________________________________________________________ Shed those extra pounds with MSN and The Biggest Loser! http://biggestloser.msn.com/