redirect with status code 307 (for POST)

Hi,

On Tue, Nov 3, 2009 at 1:04 AM, Colin <colini98@...> wrote:
> I can't get UrlRewrite ver 2.6 to return 307.  I've tried "permanent-
> redirect", "redirect", and "temporary-redirect" but they return
> statuses 301, 302, and 302, respectively.  When wget receives these
> statuses in response to a POST it always uses GET for the new Location
> (not what I want.)

I think "redirect" could work, but I'm not sure. Are you sure you're
using a version of the servlet API that supports 307?

Version 3.2 is plenty stable btw, I'd recommend upgrading.

> I have two questions:
> 1.  Does result 307 actually instruct clients to retry their request
> using the same method?

It should. But keep in mind that POST after POST has always been a bit
buggy and is only supposed to work on HTTP/1.1 clients. How about
proxying the request? I think that might work.

> 2.  Is there a way to get UrlRewrite to return status 307?

Have a look at the <run> method, it allows you to get at the
HttpServletResponse so you can set the status yourself. Not very
elegant, but I'm pretty sure it'll work.

regards,
Wim

Hi,

On Thu, Nov 5, 2009 at 5:24 AM, Avlesh Singh <avlesh@...> wrote:
>> > I have two questions:
>> > 1.  Does result 307 actually instruct clients to retry their request
>> > using the same method?
>>
>> It should. But keep in mind that POST after POST has always been a bit
>> buggy and is only supposed to work on HTTP/1.1 clients. How about
>> proxying the request? I think that might work.
>
> There is a SLIGHT misunderstanding here. Status code 307 is NOT expected to
> work as described in the thread. Underneath is a short snippet from W3 RFC
> on status codes. This is what it says on the 3XX series -
>
>> This class of status code (3XX) indicates that further action needs to be
>> taken by the user agent in order to fulfill the request. The action required
>> MAY be carried out by the user agent without interaction with the user if
>> and only if the method used in the second request is GET or HEAD. A client
>> SHOULD detect infinite redirection loops, since such loops generate network
>> traffic for each redirection.
>
> For more read here - http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
>
> Bottomline, the redirect request can ONLY be GET or HEAD. This is the harsh
> realty of life!

Actually I think you're missing an important modifier here: "without
interaction with the user". What the standard says is that redirect
works for any type, but in the case of a 307 POST the user client is
not allowed to redirect without asking for user confirmation. POST
after POST does indeed work AFAIK. It just doesn't work very well or
very consistently. If I'm not mistaken IE6 doesn't ask for
confirmation, but most other browsers will. I haven't tested it in a
while.

regards,
Wim

On Thu, Nov 5, 2009 at 12:10 PM, Avlesh Singh <avlesh@...> wrote:
>> Actually I think you're missing an important modifier here: "without
>> interaction with the user". What the standard says is that redirect
>> works for any type, but in the case of a 307 POST the user client is
>> not allowed to redirect without asking for user confirmation. POST
>> after POST does indeed work AFAIK. It just doesn't work very well or
>> very consistently. If I'm not mistaken IE6 doesn't ask for
>> confirmation, but most other browsers will. I haven't tested it in a
>> while.
>
> You misread it Wim. I'll try to be visual and explain it -
>
> Request-1 (GET/POST/HEAD) -> Location: URL-2; Code: 307 -> Request-2 (ONLY
> GET/HEAD)
> If Request-1 is POST, then a redirect would also ask for a user confirmation
> (this is how 307 differs from 302/303, wherein the requested resource is
> treated as MOVED and the client is NOT asked to confirm)

I reiterate, I do not think I am misreading it. The RFC specifically
allows for a 307 to result in a POST request, namely here:
 "If the 307 status code is received in response to a request other
than GET or HEAD, the user agent MUST NOT automatically redirect the
request unless it can be confirmed by the user, since this might
change the conditions under which the request was issued. "

In principle, even a 301 should be able to redirect to a POST in the
second request. The real-world behaviour is for browsers to convert
the request into a GET though (see the note). A 303 was specifically
introduced to allow the server to indicate the request should be
converted to a GET. A 307 on the other hand, does not allow a client
to change the request method.

> Moreover, the 3xx response is supposed to be headers only with no body.
> State-2 in the visual above CANNOT have a body. In this case you anyways
> have no way of passing the post data back to the client. And even if you do,
> they are NOT supposed to be used. As I earlier said redirects can only be
> GET/HEAD.

The client is supposed to re-present the same post parameters to the
new location. I never said the server returned those parameters in
some way.

>
> Clear?

I really don't see how I'm misreading it. I think you simply have it
wrong in this case.

regards,
Wim

How about:
http://www.andypemberton.com/sandbox/prg/

I tried it with a 307. In firebug I'm seeing 2 POSTs and the required
browser behaviour (confirmation before second POST).

regards,
Wim

On Fri, Nov 6, 2009 at 3:19 AM, Avlesh Singh <avlesh@...> wrote:
>> I really don't see how I'm misreading it. I think you simply have it wrong
>> in this case.
>
> I'll try and put up a sample on the web today.
>
> Cheers
> Avlesh
>
> On Thu, Nov 5, 2009 at 6:02 PM, Wim De Smet <kromagg@...> wrote:
>>
>> On Thu, Nov 5, 2009 at 12:10 PM, Avlesh Singh <avlesh@...> wrote:
>> >> Actually I think you're missing an important modifier here: "without
>> >> interaction with the user". What the standard says is that redirect
>> >> works for any type, but in the case of a 307 POST the user client is
>> >> not allowed to redirect without asking for user confirmation. POST
>> >> after POST does indeed work AFAIK. It just doesn't work very well or
>> >> very consistently. If I'm not mistaken IE6 doesn't ask for
>> >> confirmation, but most other browsers will. I haven't tested it in a
>> >> while.
>> >
>> > You misread it Wim. I'll try to be visual and explain it -
>> >
>> > Request-1 (GET/POST/HEAD) -> Location: URL-2; Code: 307 -> Request-2
>> > (ONLY
>> > GET/HEAD)
>> > If Request-1 is POST, then a redirect would also ask for a user
>> > confirmation
>> > (this is how 307 differs from 302/303, wherein the requested resource is
>> > treated as MOVED and the client is NOT asked to confirm)
>>
>> I reiterate, I do not think I am misreading it. The RFC specifically
>> allows for a 307 to result in a POST request, namely here:
>>  "If the 307 status code is received in response to a request other
>> than GET or HEAD, the user agent MUST NOT automatically redirect the
>> request unless it can be confirmed by the user, since this might
>> change the conditions under which the request was issued. "
>>
>> In principle, even a 301 should be able to redirect to a POST in the
>> second request. The real-world behaviour is for browsers to convert
>> the request into a GET though (see the note). A 303 was specifically
>> introduced to allow the server to indicate the request should be
>> converted to a GET. A 307 on the other hand, does not allow a client
>> to change the request method.
>>
>> > Moreover, the 3xx response is supposed to be headers only with no body.
>> > State-2 in the visual above CANNOT have a body. In this case you anyways
>> > have no way of passing the post data back to the client. And even if you
>> > do,
>> > they are NOT supposed to be used. As I earlier said redirects can only
>> > be
>> > GET/HEAD.
>>
>> The client is supposed to re-present the same post parameters to the
>> new location. I never said the server returned those parameters in
>> some way.
>>
>> >
>> > Clear?
>>
>> I really don't see how I'm misreading it. I think you simply have it
>> wrong in this case.
>>
>> regards,
>> Wim
>>
>>
>
>
> >
>