My existing Spring Web MVC application has the following handler mapping in the Controller.

    @RequestMapping(method = RequestMethod.GET, value = "/welcome")

I trigger the following requesthttp://www.example.com/welcomeand this works fine.

The problem is

http://www.example.com/welcome.check.blah 

also works!!!

Also, a HTTP GET request URL to the application with script tag is getting redisplayed though it fails the authorization.

Example http://www.example.com/welcome<script>alert("hi")</script> gets redisplayed as such in the browser window and as a result of my authorization logic "Not authorized" message is displayed.

I wonder if this is a security issue and should I need do any encoding/filtering in the code?

This behavior is due to the option useSuffixPatternMatch which is true by default inside the RequestMappingHandlerMapping (I assume you use Spring MVC 3.1).

useSuffixPatternMatch : Whether to use suffix pattern match (".*") when matching patterns to requests. If enabled a method mapped to "/users" also matches to "/users.*". The default value is "true".

To set useSuffixPatternMatch to false, the easiest way is to use @Configuration :

@Configuration
@EnableWebMvc
public class Api extends WebMvcConfigurationSupport {

    @Override
    public RequestMappingHandlerMapping requestMappingHandlerMapping() {
        RequestMappingHandlerMapping mapping = super.requestMappingHandlerMapping();
        mapping.setUseSuffixPatternMatch(false);
        return mapping;
    }

}

In current Spring Java config, there is a slightly easier way to configure the same thing:

@Configuration
public class DispatcherConfig extends WebMvcConfigurationSupport {

    @Override
    protected void configurePathMatch(PathMatchConfigurer configurer) {
        configurer.setUseSuffixPatternMatch(false);
    }

}

When you use Spring to request a mapping of that type (i.e. "/anything") Spring actually maps your controller to several URLs:

/welcome
/welcome.*
/welcome/

To prevent this - either be more specific when you RequestMapping (i.e. /welcome.htm ), or manually map the URL to controller in your Xml config:

<bean class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
        <property name="mappings">
            <props>
                <prop key="/welcome">YourControllerBean</prop>
            </props>
        </property>
</bean>

Cheers, Pete

You can also restrict this in the web.xml by mentioning the url pattern. Instead of giving "/", you can mention "/.htm" in your web.xml.

Something like

<servlet-mapping>
        <servlet-name>dispatcher</servlet-name>
        <url-pattern>/application/*.htm</url-pattern>
    </servlet-mapping>

You can use the useDefaultSuffixPattern property.

<bean class="org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping">
    <property name="useDefaultSuffixPattern" value="false" />
</bean>

Also refer URL Pattern Restricting in SPRING MVC