GET and POST HTTPS methods are interoperable in Servlet

answered 2022-12-06 15:05:49 +0800

MDuchemin
2480 ● 1 ● 6

get contains the actual code: https://github.com/zkoss/zk/blob/master/zk/src/org/zkoss/zk/au/http/DHtmlUpdateServlet.java#L393

post is routed to get because they are expected to do the same thing (expected for most traffic): https://github.com/zkoss/zk/blob/master/zk/src/org/zkoss/zk/au/http/DHtmlUpdateServlet.java#L457

• This URL is not reached by user actions, only automated Client-Engines /zkau request and responses

• The distinction between post and get mostly matters when sending forms as "action", this is not the case with /zkau (the url used by the DhtmlUpdateServlet). Instead the servlet only receives Ajax calls with a payload (not get params or form content), which means that such request don't show up in the browser history, and their content is also not visible by inspecting the URL.

• Additionally, the payload is encrypted when using SSL (https), which prevents MitM attacks, which cannot read the request body without the proper certificate exchange.

• the DhtmlUpdateServlet doesn't serve pages. It receives client-side events and updates, and returns server-to-client updates and commands.

The other relevant servlet would be DhtmlLayoutServlet, which is in charge of receiving page requests, but the comments are mostly the same:

• ZK doesn't rely on form action, so the distinction between post and get is mostly meaningless.

• servlet output is expected to be the same for post and get.

As a result, this was reported a few times, but never considered to be a security risk in a ZK application.

This said, ZK is pretty flexible, and if you need to modify how the servlets act, you can absolutely extend the default servlets, modify doPost and doGet, and register your extended servlets in web.xml instead of the default layout and update servlets respectively.