0

I have a servlet filter which takes the jsessionid and attaches it to the response. However, it's not working correctly because the application gets stuck in an endless loop. The code looks correct, but how Tomcat deals with request and response is where the confusion lies.

Below is the doFilter method (destroy and init are blank):

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {

    if ((request instanceof HttpServletRequest) && (response instanceof HttpServletResponse)) {

        HttpServletRequest rQ = ((HttpServletRequest)request);
        HttpServletResponse rS = ((HttpServletResponse)response);

        if ((!request.isSecure())) {

            String uRL = rS.getRequestURL().toString();
            String qS = (rS.getQueryString() == null) ? "" : rS.getQueryString();
            String sID = rS.getSession().getId();
            String redirectURL = uRL + ";jsessionid=" + sID + qS;

            rS.sendRedirect(redirectURL);
        }
        else {

            chain.doFilter(request, response);
        }
    }
}

I have applied the filter to all JSP pages. What I see happening is an http JSP page gets called -- let's call it Content.jsp -- and the servlet takes this page and appends the jsessionid. Then, Content.jsp is called again because of the rule I have applied to call all JSP pages and it redirects continuously.

Either I have to change my code or, somehow, intercept it before the servlet accesses the page. How can I resolve this? Perhaps, I can check if the jsessionid was appended to the URL but how could I do that???

Thank you.

user717236
  • 4,959
  • 19
  • 66
  • 102

1 Answers1

0

If I'm reading it right, I expect it to loop indefinitely.

!request.isSecure(), is asking "did the client use https?". Since the redirect never changes this characteristic, the redirect will also not use https and enter that if-block again.

I suggest that the if statement should instead check to see if the jsessionid is not set in the url.

cmonkey
  • 4,256
  • 1
  • 26
  • 46
  • Thank you. Well, at some point, the application redirects from HTTPS to HTTP, where this filter would be applied. But how can I check if the jsessionid is not set in the url? – user717236 Dec 10 '12 at 18:14
  • At the core of this, it would help to know why you are doing this; normally you let the container take care of session creation and adding jsessionid. That said, you could invoke rS.getSession( false ). If it returns null, no session exists, meaning jsessionid is not set (or set to an id the server doesn't understand). However, the session could still be in a cookie. – cmonkey Dec 10 '12 at 18:41
  • Thank you. It's related to a couple of threads I created about Android 3.x and lower recreating the jsessionid for each request to the server. Passing the jsessionid into the URL may be a good workaround, assuming it works for my particular web application. – user717236 Dec 10 '12 at 19:11
  • Suggest using getRequestedSessionId() in your if statement, then. – cmonkey Dec 10 '12 at 19:24