4

I'm currently developing a Servlet that runs under Glassfish 4. I implemented the doPost() method and I need to ensure that the parameters are passed using the POST body, and not in the query string.

I wrote a test implementation to check it:

protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

    String name = request.getParameter("name");

    response.getOutputStream().print(name);
}

If I call my page with POST with this url:

http://localhost:8080/myservlet/testservlet

and pass name=Nico into the post body, the value Nico is returned, and it's okay.

Now if I call it this way:

http://localhost:8080/myservlet/testservlet?name=Robert

and I still pass name=Nico in the POST body, Robert is returned, and the name=Nico is ignored.

I just would like to avoid parameters to be passed in the URL.
Is there a way to explicitly retrieve parameters from the POST body instead of body + query string?

Improve this question
4
  • Why are you doing this on the receiving end? If you want to avoid parameters being passed in the URL, then by the time your doPost runs, it's too late. Commented Jul 9, 2014 at 9:06
  • @immibis : thanks for your comment but I'm not sure to understand. I'm pretty new in servlet development and I'm not very aware of the workflow. Do you mean I could intercept the request before to achieve this? Commented Jul 9, 2014 at 9:15
  • only one Parameter 'name' ,so you can/t Commented Jul 9, 2014 at 9:22
  • @Nico What I just said isn't a servlet-specific thing. But to use an analogy, let's say I yell at you across a crowded room "HEY NICO, MY PASSWORD IS PASSWORD42". Yelling back "I'M NOT LISTENING BECAUSE YOU JUST TOLD EVERYONE YOUR PASSWORD" isn't going to achieve anything. Commented Jul 9, 2014 at 9:24

4 Answers 4

Reset to default
2

Check the javadoc for the getParameter method:

https://tomcat.apache.org/tomcat-7.0-doc/servletapi/javax/servlet/ServletRequest.html#getParameter%28java.lang.String%29

Like it is stated, you are sending 2 parameters on the request with the same name, one from the query string and another on the body.

Now it is up to you to either validate that no parameter is coming from the query string or read directly values from the request body.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Hi all, and thank you for your time. Well, I expected something like php's $_POST and $_GET. Finally the getParameter() method acts more like php's $_REQUEST. Well I'll mark @hvieira's answer as good because the link provided explains my problem (although it doesn't solve it) and the suggestion to process the raw response body fits good for the question I asked. Anyway, thanks all for your comments! And finally you're right, there's no need to wonder where the parameter comes from... I was just focused on PHP's $_POST and $_GET arrays. Nico
2

In most cases, you can read both of them using getParameterValues, the first one is query string and the second one is post body. Now you can decide which one to use.
String[] lines = request.getParameterValues("name");

Improve this answer

1 Comment

In the most common case this is true. There is also a possibility to have more than 2 Strings returned by getParameterValues(). This is the case when a form contains array-names. Lets say in a form there are 2 elements named "settings[]". By calling getParameterValues("settings[]") return then 4 elements: 2 from querystring and 2 from post data. But the query string is exposed to manipulation. So it is no guaranty how to split the returned values in get and post parts.
0

Did you check what request.getAttribute() returns?

Anyway you can't avoid that people will try to send you evil data, either in the url or by tinkering with the post-request.

So when you work with input from a website, always imagine a hacker sitting on the other side and sending you evil content in your parameters, like sql-injections. So you need a good validation to only let good content through to your database.

Because it's not your problem if a user enters his username as a parameter in the url. Let him have the fun, if he prefers this way over the input-field. The hackers are the problem.

Improve this answer

Comments

-2

I think it is a problem of front end code, instead of servlet. Any post request submission from UI should strip query string.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.