Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Unwanted comma-separated arguments to Spring controller method

Tags:

I'm seeing a strange problem with a Spring MVC controller. This method is intended to set the password. It takes two form parameters "password" and "confirmPassword". The first time the form is called, this works fine-- the fields are passed to the method.

The problem occurs when the form is submitted a second time. If the form is incorrectly filled out the first time, the user is correctly sent back to the form page and prompted to enter the password again. However the arguments to the method are incorrect on the second try. The arguments are a comma separated list which includes the first form entry concatenated with the second.

Example:

First form post with field "password" has a value of "abc". Method argument "password" has value "abc".

Second form post with field "password" and a value of "xyz". Method argument "password" has value "xyz,abc".

The Spring MVC docs don't indicate much useful. Somehow the old form post is remembered and included. Anyone have experience in solving this?

Controller method is below:

@RequestMapping(value = "/account/reset", method = RequestMethod.POST) public String resetPassword(@RequestParam("password") String password,         @RequestParam("confirmPassword") String confirmPassword,         @RequestParam("hash") String hash, ModelMap model) throws EncryptionException {     String userName = stringEncrypterService.decrypt(hash);     User user = userService.findUserByPath(userName);      if (!password.equals(confirmPassword))     {         model.put("hash", hash);         model.put("user", user);         model.put("error",                 "The two passwords you entered below do not match. Please try again.");          return "users/resetPassword";     }      userService.updatePassword(user, password);     emailService.sendUserInfoChange(user);     return "redirect:/session/signin?passwordReset=true"; } 

Update. Several responders have suggested that perhaps the problematic posts have extra URL parameters or hidden form fields resulting in duplicate field names. I confirmed with Fiddler that this is not the case. Here's the raw request from the third try. (slightly edited to remove session cookie).

POST http://wintest.foriodev.com/simulate/account/reset/ HTTP/1.1 Host: wintest.foriodev.com Connection: keep-alive Referer: http://wintest.foriodev.com/simulate/account/reset/ Content-Length: 73 Cache-Control: max-age=0 Origin: http://wintest.foriodev.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16 Content-Type: application/x-www-form-urlencoded Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: AUTOLOGIN_TOKEN=xyz; SIMULATE_WORKER=wintest; JSESSIONID=xyz;   password=a&hash=xyz&confirmPassword=a&save=Reset+Password 
like image 866
Will Glass Avatar asked Mar 15 '11 04:03

Will Glass


People also ask

Why Spring controller is Singleton?

Spring controllers are singletons (there is just one instance of each controller per web application) just like servlets. Typically there is no point in changing this behaviour (if it's even possible). See Regarding thread safety of servlet for common pitfalls, also applying to controllers.

What are the responsibilities of controller in spring?

In Spring MVC, controller methods are the final destination point that a web request can reach. After being invoked, the controller method starts to process the web request by interacting with the service layer to complete the work that needs to be done.


1 Answers

I think the reason for this is because of

return "redirect:/session/signin?passwordReset=true";

With redirect: the framework uses the url-rewriting technique, similar to the basic response.sendRedirect(...) in servlets, and hence the parameter,values are appended along with the request to the next consequent requests and so on.

Try using a different mechanism rather than "redirect:"

like image 175
user960587 Avatar answered Sep 29 '22 17:09

user960587