44

I want my Spring MVC application to redirect to a dynamic URL (submitted by the user). So if I have code like this,

@RequestMapping("/redirectToSite")
protected ModelAndView redirect(
    @RequestParam("redir_url") String redirectUrl,
    HttpServletRequest request, 
    HttpServletResponse response) 
{
    // redirect to redirectUrl here
    return ?
}

what should I write to redirect to the submitted URL? For instance http://mySpringMvcApp/redirectToSite?redir_url=http://www.google.com should redirect to Google.

Tomasz Nurkiewicz
  • 334,321
  • 69
  • 703
  • 674
Gruber
  • 4,478
  • 6
  • 47
  • 74
  • 5
    have you tried new ModelAndView(new RedirectView(redirectUrl))? – Joe Feb 16 '12 at 13:23
  • 1
    @Joe: Worked as well. Great stuff. – Gruber Feb 16 '12 at 13:36
  • 1
    Not sure if you thought about this, but you should consider that open redirects are a security anti pattern and you should at least do basic validation of the submitted url before actually redirecting to it. See e.g. https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet – Kutzi Jul 10 '14 at 08:18

3 Answers3

87

Try this:

@RequestMapping("/redirectToSite")
protected String redirect(@RequestParam("redir_url") String redirectUrl) 
{
    return "redirect:" + redirectUrl;
}

This is explained in 16.5.3.2 The redirect: prefix of Spring reference documentation. Of course you can always do this manually:

response.sendRedirect(redirectUrl);
Ryan Ransford
  • 3,224
  • 28
  • 35
Tomasz Nurkiewicz
  • 334,321
  • 69
  • 703
  • 674
  • 1
    Thanks a lot, just tested it and it worked. Had to change the method return type from `ModelAndView` to `String`. – Gruber Feb 16 '12 at 13:30
  • @TomaszNurkiewicz this method preserves the query parameters in the url, how do I get rid of the query parameters and redirect just to the url without query parameters? – Ram Patra Nov 09 '15 at 12:08
  • @TomaszNurkiewicz I found the answer here: http://stackoverflow.com/a/32406090/1385441 – Ram Patra Nov 09 '15 at 13:11
  • Note that this code as it stands is not verifying the redirect url to ensure it's legit. I realize that this question wasn't about security, but would remind folks to not just lift this code as is. Never trust the client to always specify urls that you are okay with redirecting to. https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet – jzheaux Mar 18 '17 at 21:45
7
@RequestMapping(value="/redirect",method=RequestMethod.GET)
void homeController(HttpServletResponse http){
  try {
    http.sendRedirect("Your url here!");
  } catch (IOException ex) {

  }
}
Airton Bruno B Rivero
  • 71
  • 1
  • 1
0

If server response with 3xx status code, then browser check status code. If status code is 3xx, then browser check Location header. and redirect to Location header's value. So setting http status, Location header is enough.

see https://datatracker.ietf.org/doc/html/rfc7231#section-6.4

Also you can consider 301 permanent moved, 302 temporary redirect, 307 and 308.

in java code.

httpServletResponse.setStatus(308);
httpServletResponse.setHeader("Location", redirectUrl);
Roon
  • 81
  • 1
  • 3