I know people like to avoid those, but get real: refreshing a failed
> POST ought to re-POST the data (that will fail again). You should really
> only redirect on success.
Agreed, it's a much bigger consideration on success than failure. But once
you figure out a good way of approaching the issue on success, I imagine
it'd be just as easily applicable on failure?
> Passing the message in the request parameter (suggested by Mark) doesn't
>> seem like the ideal solution, because (assuming a parameterized message
>> based on submitted POST values) you'd need to pass the actual message in
>> the
>> query string. Not only would you have an ugly URL, but also someone could
>> visit that page with their own message by changing the query string.
>
> Oh, no! Someone could mount an XSS attack on themselves! :p
:) Good call - I guess the ugly URL would be the main reason here, if any.
> Is there an ideal way to tell servlet S (one way I can think of is request
>> attributes - anything else?) not to execute its filter when a redirect
>> has
>> been performed (i.e. to perform no further execution of its thread
>> because
>> the request has redirected away from it)? That way, am I correct to say
>> you
>> have a good solution - no race condition, no messages in query string,
>> and
>> you can use redirects as desired?
>
> Um, <dispatcher>?
So would the following be a good way of approaching this using filter
mappings (where the filter is as described in the OP)?
- No filter on all servlets that can, upon success or failure, redirect to
another page
- Filters on all JSPs with a ${message} anywhere in their markup
In what ways could I use the dispatcher element to enhance the setup
further?
Thanks.
--
View this message in context:
http://www.nabble.com/Race-condition-with-values-displayed-across-redirects-tf4565759.html#a13044760
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
