Java Mailing List Archive

http://www.junlu.com/

Home » Home (12/2007) » Servlet Interest »

Re: redirecting from a servlet to an exterior URL using a POST

Johan Hahn

2005-06-23


> Garey - Yes we all agree that redirect will not do a POST. The various suggestions
> that have been made all work, including using a programmatic post with Jakarta
> HttpClient. One thing to be aware of is that POST is NOT a security mechanism.
> Even though the parameters do not show on the URL as with a GET, it is still fairly
> easy to see these values with a POST for someone who goes to a little trouble. So
> if you have a security reason for this question your premise was not correct. Still,
> the HttpClient or HttpURLConnection approaches seem like they will do what you
> are trying to do.

Good answer! It addresses most of my concerns I've had while following this thread.
Here are some more thoughts of mine:

I assume the OP has no control over the university service, otherwise he could use
some cryptographic method, like a shared secret, to issue a ticket in his servlet and
pass it to the client.

Another thing the OP didn't make clear was how the university service handles
sessions. If it is protected against session hijacking (for example if it relies on the web
servers session management) and compares the IP of the requesting end between calls
in a session, there could be a problem. It will find that the IP of the first request (the
login) is different from that of the subsequent requests. However, if the univerity
service is not protected against session hijacking it will probably work. Though, it
puts you in a moral dilemma of whether or not to contact them about it or having your
own service work. :)

> BTW - I'm tempted to wonder - if anyone can use your system to login to the
> other system you might as well make a guest password public anyway!

Another of my concerns. :)

...johahn

___________________________________________________________________________
To unsubscribe, send email to listserv@(protected)
of the message "signoff SERVLET-INTEREST".

Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
©2008 junlu.com - Jax Systems, LLC, U.S.A.