Redirect to dynamic URL in Spring MVC

Asked 16/2, 2012 at 13:17 Answered 29/4, 2022 at 7:52

I want my Spring MVC application to redirect to a dynamic URL (submitted by the user). So if I have code like this,

@RequestMapping("/redirectToSite")
protected ModelAndView redirect(
    @RequestParam("redir_url") String redirectUrl,
    HttpServletRequest request, 
    HttpServletResponse response) 
{
    // redirect to redirectUrl here
    return ?
}

what should I write to redirect to the submitted URL? For instance http://mySpringMvcApp/redirectToSite?redir_url=http://www.google.com should redirect to Google.

Providential answered 16/2, 2012 at 13:17 Comment(3)

have you tried new ModelAndView(new RedirectView(redirectUrl))? – Assemblage 16/2, 2012 at 13:23

@Joe: Worked as well. Great stuff. – Providential 16/2, 2012 at 13:36

Not sure if you thought about this, but you should consider that open redirects are a security anti pattern and you should at least do basic validation of the submitted url before actually redirecting to it. See e.g. owasp.org/index.php/… – Sampler 10/7, 2014 at 8:18

Try this:

@RequestMapping("/redirectToSite")
protected String redirect(@RequestParam("redir_url") String redirectUrl) 
{
    return "redirect:" + redirectUrl;
}

This is explained in 16.5.3.2 The redirect: prefix of Spring reference documentation. Of course you can always do this manually:

response.sendRedirect(redirectUrl);

Somme answered 16/2, 2012 at 13:22 Comment(4)

Thanks a lot, just tested it and it worked. Had to change the method return type from ModelAndView to String. – Providential 16/2, 2012 at 13:30

@TomaszNurkiewicz this method preserves the query parameters in the url, how do I get rid of the query parameters and redirect just to the url without query parameters? – Quadriceps 9/11, 2015 at 12:8

@TomaszNurkiewicz I found the answer here: https://mcmap.net/q/197006/-spring-mvc-controller-redirect-without-parameters-being-added-to-my-url – Quadriceps 9/11, 2015 at 13:11

Note that this code as it stands is not verifying the redirect url to ensure it's legit. I realize that this question wasn't about security, but would remind folks to not just lift this code as is. Never trust the client to always specify urls that you are okay with redirecting to. owasp.org/index.php/… – Erastes 18/3, 2017 at 21:45

@RequestMapping(value="/redirect",method=RequestMethod.GET)
void homeController(HttpServletResponse http){
  try {
    http.sendRedirect("Your url here!");
  } catch (IOException ex) {

  }
}

Festa answered 21/10, 2016 at 22:47 Comment(0)

If server response with 3xx status code, then browser check status code. If status code is 3xx, then browser check Location header. and redirect to Location header's value. So setting http status, Location header is enough.

see https://datatracker.ietf.org/doc/html/rfc7231#section-6.4

Also you can consider 301 permanent moved, 302 temporary redirect, 307 and 308.

in java code.

httpServletResponse.setStatus(308);
httpServletResponse.setHeader("Location", redirectUrl);

Payment answered 29/4, 2022 at 7:52 Comment(0)

Recommended topics

Hot tags