Servlet Forward on Post Validation Failure and Post-Redirect-Get

Question

One strategy for handling validation of a form that is posted to a Java Servlet is to forward back to the original JSP view on validation failure. This allows the user to see t

Answer 1

As far as I can tell the forward on validation failure approach is flawed and shouldn't be used. Instead use one of these:

1. Store validation error messages in session and do a redirect.

2. Use AJAX to submit forms

3. Catch all validation errors on the client with JavaScript and treat validation failures that reach the server as application errors and assume someone is posting to the server directly without using the application form or the application form has a bug. If you forward to an error page you'll have the same problem, but attackers deserve a jacked-up browser history. If the session is available you could stuff the error message in the session and do a redirect. Either way it removes validation from the server in "normal" operation and sidesteps the issue somewhat.