spring-framework icon indicating copy to clipboard operation
spring-framework copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

ForwardedHeaderFilter and RelativeRedirectFilter redirect with code 303 instead of 302?

Open xiaoxiyao opened this issue 4 years ago • 2 comments

Affects: 5.2.16

MDN says that 303 usually used for PUT or POST request. Why not use 302 here?

xiaoxiyao avatar Sep 23 '21 07:09 xiaoxiyao

Currently, this status is generating by the application server in implementation of the HttpServletResponse. For example, Tomcat uses SC_FOUND = 302 for a responce.

package org.apache.catalina.connector;
//........
public class Response implements HttpServletResponse {
//........
@Override
    public void sendRedirect(String location) throws IOException {
        sendRedirect(location, SC_FOUND);
//........

Tomcat is still runnig legacy software that might not support status 303. I think Tomcat will switch to the new status (303) in future. I think this issue is not related to Spring.

AntonLGVS avatar Nov 16 '22 05:11 AntonLGVS

Currently, this status is generating by the application server in implementation of the HttpServletResponse. For example, Tomcat uses SC_FOUND = 302 for a responce.

package org.apache.catalina.connector;
//........
public class Response implements HttpServletResponse {
//........
@Override
    public void sendRedirect(String location) throws IOException {
        sendRedirect(location, SC_FOUND);
//........

Tomcat is still runnig legacy software that might not support status 303. I think Tomcat will switch to the new status (303) in future. I think this issue is not related to Spring.

https://github.com/spring-projects/spring-framework/blob/09a58a55bf7882f24352c0bb2ecf742c14c22cc3/spring-web/src/main/java/org/springframework/web/filter/ForwardedHeaderFilter.java#L150

https://github.com/spring-projects/spring-framework/blob/09a58a55bf7882f24352c0bb2ecf742c14c22cc3/spring-web/src/main/java/org/springframework/web/filter/RelativeRedirectFilter.java#L47

xiaoxiyao avatar Nov 16 '22 06:11 xiaoxiyao

MDN says the following about 302:

Even if the specification requires the method (and the body) not to be altered when the redirection is performed, not all user-agents conform here - you can still find this type of bugged software out there. It is therefore recommended to set the 302 code only as a response for GET or HEAD methods and to use 307 Temporary Redirect instead, as the method change is explicitly prohibited in that case.

In the cases where you want the method used to be changed to GET, use 303 See Other instead. This is useful when you want to give a response to a PUT method that is not the uploaded resource but a confirmation message such as: 'you successfully uploaded XYZ'.

Note that the RelativeRedirectFilter makes this status configurable and 303 is merely the default value.

If there is a particular issue with this, please raise the problem here with a sample application that demonstrates it.

bclozel avatar Jan 02 '24 17:01 bclozel