[
https://jira.jboss.org/browse/GTNPORTAL-1348?page=com.atlassian.jira.plug...
]
kien nguyen commented on GTNPORTAL-1348:
----------------------------------------
I found in the Servlet spec said about RequestDispatcher.include() method:
"It can only write information to the ServletOutputStream or Writer of the
response object and commit a response by writing content past the end of the
response buffer, or by explicitly calling the flushBuffer method of the
ServletResponse interface. It cannot set headers or call any method that affects
the headers of the response. Any attempt to do so must be ignored."
That means: setting text/html content-type (in login.jsp) will be ignored.
Iam not sure implementation of Tomcat on this but we shouldn't set anything to headers
in include dispatcher servlet
I also make some tests: it's almost OK for alternative forward() method or add setting
content-type before calling include() method (in ErrorLoginServlet.java)
Login page then username or password is incorrect shown as JSP source
code.
---------------------------------------------------------------------------
Key: GTNPORTAL-1348
URL:
https://jira.jboss.org/browse/GTNPORTAL-1348
Project: GateIn Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Environment: Gatein under apache web server.
Reporter: Andrey Parfonov
Assignee: kien nguyen
Fix For: 3.2.0-GA
Original Estimate: 4 hours
Remaining Estimate: 4 hours
When code in org.exoplatform.web.login.ErrorLoginServlet (line 69)
context.getRequestDispatcher("/login/jsp/login.jsp").include(req, resp);
replaced by
context.getRequestDispatcher("/login/jsp/login.jsp").forward(req, resp);
After that problem is gone. There is now more source code of JSP but HTML
with correct message about wrong password.
NOTE if tomcat used without apache front-end problem not appear (why is not clear)
Using include method looks as not quite correct because headers include
'Content-Type' (it is the core of problem) may not be copied from JSP.
The included servlet cannot change the response status code or headers.
Need complex testing to be sure changes include by forward does not break
anything.
As alternative solution (if forward method is not acceptable in some reason) is
possible to set Content-Type header directly in
org.exoplatform.web.login.ErrorLoginServlet
but it looks much worse IMO
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira