Spring MVC and Jetty: Prevent jsessionid from being used in RedirectView on redirect to external sit

Posted by Moritz Both on Stack Overflow See other posts from Stack Overflow or by Moritz Both
Published on 2010-05-26T08:59:07Z Indexed on 2010/05/26 9:01 UTC
Read the original article Hit count: 525

Filed under:

redirect

|

spring-mvc

|

jetty

|

sessionid

In Spring MVC 2.5 with Jetty - probably with any servlet container -, I want to redirect to an external site using RedirectView via the magic "redirect:" prefix for the view name in ModelAndView.

Unfortunately, RedirectView uses response.encodeURL(), so my (otherwiese wanted) session id is appended to the URL. It is not only a security risk to carry the session id to the external site, the ";jsessionid=gagnbaba" string may also be interpreted as part of the ContextPath/PathInfo on the other site, resulting in a bad URL.

Any "springish" options other than implement my own ExternalRedirectView... and also hack the ViewResolver to interpret a "externalRedirect:" prefix? (Requiring cookies is not an option.)

Moritz

© Stack Overflow or respective owner

Related posts about redirect

ajax redirect dillema, how to get redirect URL OR how to set properties for redirect request

as seen on Stack Overflow - Search for 'Stack Overflow'
First, I'm working in Google Chrome, if that helps. Here is the behavior: I send an xhr request via jquery to a remote site (this is a chrome Extension, and I've set all of the cross-site settings...): $.ajax({ type: "POST", contentType : "text/xml", url: some_url, data: some_xml… >>> More
.htaccess file size causes 500 Internal Server Error

as seen on Pro Webmasters - Search for 'Pro Webmasters'
As soon as my .htaccess goes over approx 8410 bytes, I get a 500 Internal Server Error. I don't think this is due to a bad redirect, as I have experimented with redirects in the .htaccess and then with just text that is commented out #. (no actual commands in the .htaccess file) Is there anything… >>> More
ASP.Net FormsAuthentication Redirect Loses the cookie between Redirect and Application_AuthenticateR

as seen on Stack Overflow - Search for 'Stack Overflow'
I have a FormsAuthentication cookie that is persistent and works independently in a development, test, and production environment. I have a user that can authenticate, the user object is created, the authentication cookie is added to the response: 'Custom object to grab the TLD from the url authCookie… >>> More
How to avoid open-redirect vulnerability and safely redirect on successful login (HINT: ASP.NET MVC

as seen on Stack Overflow - Search for 'Stack Overflow'
Normally, when a site requires that you are logged in before you can access a certain page, you are taken to the login screen and after successfully authenticating yourself, you are redirected back to the originally requested page. This is great for usability - but without careful scrutiny, this feature… >>> More
Redirect with htaccess for images onto another server without redirect looping

as seen on Stack Overflow - Search for 'Stack Overflow'
Hey guys, I currently have a host where my main site is hosted on. I have set up nginx on another server to mirror/cache files being requested if it doesn't have it already, in particular images and flv videos. For example: www.domain.com is my main site. www.domain.com/video/video.flv www.domain… >>> More

Related posts about spring-mvc

spring MVC sample web app

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi, I'm looking for an example Spring MVC 2.5 web app that I can easily: Setup as a project in Eclipse Deploy to a local app server (using Ant/Maven) There are a couple of example applications included with the Spring distribution ('petclinic' and 'jpetstore'), but they don't provide any Eclipse… >>> More
Code assist in (jsp /jstl) view for Spring MVC model objects in Eclipse

as seen on Stack Overflow - Search for 'Stack Overflow'
In Spring MVC when placing an object in the view model like so: public String getUser( Model model ) { //...fetch user... model.addAttribute( "user", user ); return "viewName"; } and accessing it's values in the JSP / JSTL view like this: ... <p> ${user.name} </p> … >>> More
The interceptors in Spring MVC 3.0 doesn't work

as seen on Stack Overflow - Search for 'Stack Overflow'
I just used annotation-based controller to do the request mapping. But when I configured interceptors like the following <property name="interceptors"> <list> <bean class="com.glamour.web.interceptor.MenuItemsInterceptor"></bean> </list> … >>> More
How to stop Spring MVC blocking all other Servlets?

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi, I'm using Spring 2.5 MVC and wan't to add another third-party Servlet. The Problem is, that Spring MVC catches all request, so the Servlet isn't getting any request. Here a web.xml Snippet: SpringMVC org.springframework.web.servlet.DispatcherServlet 2 <servlet-mapping> <servlet-name>SpringMVC</servlet-name> <url-pattern>/*</url-pattern> </servlet-mapping>… >>> More
Spring MVC jQuery remote validation

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi, I am using Spring MVC on the server side, but in one of the pages I decided to create an AJAX validation with jQuery rather than the default Spring validation. Everything works great, except when I have to do a remote validation to check if a "title" already exists. For the javascript I have… >>> More