A Controller servlet may perform either a forward or a redirect operation at the end of processing a request. It is important to understand the difference between these two cases, in particular with respect to browser reloads of web pages.
- a forward is performed internally by the application (servlet).
- the browser is completely unaware that it has taken place, so its original URL remains intact
- any browser reload of the resulting page will simple repeat the original request, with the original URL
- a redirect is a two step process, where the web application instructs the browser to fetch a second URL, which differs from the original
- a browser reload of the second URL will not repeat the original request, but will rather fetch the second URL
- redirect is marginally slower than a forward, since it requires two browser requests, not one
- objects placed in the original request scope are not available to the second request.
There are several ways to perform a Redirect, here are a few common ones:
- URL Redirection (HTTP 301):
HTTP/1.1 301 moved permanently Location: http://www.example.org/
- HTTP Refresh Header (Not Recommended)
HTTP/1.1 200 ok Refresh: 0; url=http://www.example.com/
- HTML <meta /> tag
<meta http-equiv="refresh" content="0; URL=http://www.example.org/" />
In general, a forward should be used if the operation can be safely repeated upon a browser reload of the resulting web page; otherwise, redirect must be used. Typically, if the operation performs an edit on the datastore, then a redirect, not a forward, is required. This is simply to avoid the possibility of inadvertently duplicating an edit to the database.
More explicitly :
- for SELECT operations, use a forward
- for INSERT, UPDATE, or DELETE operations, use a redirect
In HTML, a <FORM> tag can either GET or POST its data. In this context, a GET corresponds to a SELECT-then-forward, and a POST corresponds to an edit-then-redirect.
It is strongly recommended that forms for the input of search criteria should use GET, while forms for editing database records should use POST.
SECURITY NOTE: When using GET, be sure to not expose sensitive data in the URL’s.