I would add if you are serious about customer confidence in your site,
the form should be encrypted on SSL in addition to the form's target. I
for one would simply go somewhere else if I was asked to enter payment
info and the form page wasn't encrypted.
--David
Peter Crowther wrote:
From: J. Zach [mailto:[EMAIL PROTECTED]
I have an jsp page page1.jsp with a form
<form action="page2.jsp" method="post">...</form>
When page2.jsp is secured in web.xml via security-constraint
- transport
confidential, the posted data from page1.jsp is lost on
submit (it's simply missing missing in the request).
That's expected:
- The page submits to http://server:port/page2.jsp
- The server issues a 302 redirect to https://server:port/page2.jsp - before
examining any page content to find out there's a POST. As your requirement is
for confidentiality, this is correct - the server *must not* require any of the
content to be sent before making the decision to redirect, or confidentiality
could be broken.
- The browser acts on the redirect and issues a GET for the redirected page,
hence without the POST data.
Without the constraint everything works,
when changing action to https://server:port/page2.jsp it works too.
Yes, as the intermediate redirect will be missing.
I'm wondering whether this could be a tomcat bug?
No, it's a feature of HTTP. Change your form action (or set the entire site to
be SSL).
- Peter
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
