Java EE: Getting parameters from POST for a login form

I am trying to implement a simple login servlet but it's not working properly.

What I wanted to know is how to pass the parameters using a HTTP POST. It already works with HTTP GET but the username and password are visible from the URL. It would be better to hide them in a POST.

<form method="post" action="home" >
  <input name="username" class="form-login" title="Username" value="" size="30" maxlength="2048" />
  <input name="password" type="password" class="form-login" title="Password" value="" size="30" maxlength="2048" />
  <input type="submit" value="Connect">
</form>

web.xml

  <servlet>
    <servlet-name>home</servlet-name>
    <servlet-class>controller.HomeController</servlet-class>
  </servlet>

  <servlet-mapping>
    <servlet-name>home</servlet-name>
    <url-pattern>/home</url-pattern>
  </servlet-mapping>

Servlet:

public class HomeController extends HttpServlet {

    private HttpSession session;
    private UserBean userBean;

    public void doPost(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {

        UserBean user = new UserBean();
        String userName = request.getParameter("username");
        String password = request.getParameter("password");

        user.setUsername(userName);
        user.setPassword(password);

        user = UserDAO.login(user);

        dispatch(request, response, ApplicationRessource.getInstance().getHomePage());
    }

    protected void dispatch(HttpServletRequest request,
                HttpServletResponse response, String page)
            throws javax.servlet.ServletException, java.io.IOException {
        RequestDispatcher dispatcher = getServletContext()
                .getRequestDispatcher(page);
        dispatcher.forward(request, response);
    }
}

The problem is that the userName and password strings are always empty, meaning that the parameters are never fetched from the POST. What am I doing wrong?

Funny thing, it works when changing from method=post to method=get and using doGet instead of doPost

Only thing, it's unfortunate to see the password in the url, I still think it's beter to use a POST even if you can sniff the text using wireshark.

you should use post for sure :-), it was just for test. Can you try in some other browser

the parameters are still in the url

Parameters are in the url because i guess you are using "get" in your jsp. Use "post" only in your jsp and try implementing the above code. What will happen is from your servlet's "doPost" method, "doGet" will be called. Let me know what is the output.

I have edited my original post with the web.xml and the dispatch method

1) The tomcat's service(..) method implementation is pretty simple and it just forwards the request to doGet(..) or doPost(..) based on request.getMethod() condition. if you haven't overridden service(..) method than there is not much to look in here. 2) Do you have any filters declared in your web.xml or any filter based annotations anywhere?

I do not use annotations, and I have no filter tags in my web.xml. The dispatch() method follows the Page Controller or Front Controller design pattern (see: java.sun.com/blueprints/corej2eepatterns/Patterns/…)

Are you saying that the service() method would not be useful in this case?

there is no problem with your dispatch(..) method. The point which I was making earlier was that I see more custom code than what was originally posted in your question. Are you saying that the service() method would not be useful in this case....have you overridden service method? if not, then everything is fine with service method.