Spring MVC application filtering HTML in URL - Is

2019-04-19 21:10发布

站内问答 / Java
1155 5 4

My existing Spring Web MVC application has the following handler mapping in the Controller.

    @RequestMapping(method = RequestMethod.GET, value = "/welcome")

I trigger the following requesthttp://www.example.com/welcomeand this works fine.

The problem is

http://www.example.com/welcome.check.blah

also works!!!

Also, a HTTP GET request URL to the application with script tag is getting redisplayed though it fails the authorization.

Example http://www.example.com/welcome<script>alert("hi")</script> gets redisplayed as such in the browser window and as a result of my authorization logic "Not authorized" message is displayed.

I wonder if this is a security issue and should I need do any encoding/filtering in the code?

5条回答
兄弟一词,经得起流年.
2楼-- · 2019-04-19 21:49

You can also restrict this in the web.xml by mentioning the url pattern. Instead of giving "/", you can mention "/.htm" in your web.xml.

Something like 

<servlet-mapping>
        <servlet-name>dispatcher</servlet-name>
        <url-pattern>/application/*.htm</url-pattern>
    </servlet-mapping>
查看更多
0人赞 添加讨论(0) 举报
虎瘦雄心在
3楼-- · 2019-04-19 21:52

You can use the useDefaultSuffixPattern property.

<bean class="org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping">
    <property name="useDefaultSuffixPattern" value="false" />
</bean>

Also refer URL Pattern Restricting in SPRING MVC

查看更多
0人赞 添加讨论(0) 举报
SAY GOODBYE
4楼-- · 2019-04-19 21:55

In current Spring Java config, there is a slightly easier way to configure the same thing:

@Configuration
public class DispatcherConfig extends WebMvcConfigurationSupport {

    @Override
    protected void configurePathMatch(PathMatchConfigurer configurer) {
        configurer.setUseSuffixPatternMatch(false);
    }

}
查看更多
0人赞 添加讨论(0) 举报
Bombasti
5楼-- · 2019-04-19 21:55

When you use Spring to request a mapping of that type (i.e. "/anything") Spring actually maps your controller to several URLs:

/welcome
/welcome.*
/welcome/

To prevent this - either be more specific when you RequestMapping (i.e. /welcome.htm ), or manually map the URL to controller in your Xml config:

<bean class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
        <property name="mappings">
            <props>
                <prop key="/welcome">YourControllerBean</prop>
            </props>
        </property>
</bean>


Cheers, Pete

查看更多
0人赞 添加讨论(0) 举报
男人必须洒脱
6楼-- · 2019-04-19 22:01

This behavior is due to the option useSuffixPatternMatch which is true by default inside the RequestMappingHandlerMapping (I assume you use Spring MVC 3.1).

useSuffixPatternMatch : Whether to use suffix pattern match (".*") when matching patterns to requests. If enabled a method mapped to "/users" also matches to "/users.*". The default value is "true".

To set useSuffixPatternMatch to false, the easiest way is to use @Configuration :

@Configuration
@EnableWebMvc
public class Api extends WebMvcConfigurationSupport {

    @Override
    public RequestMappingHandlerMapping requestMappingHandlerMapping() {
        RequestMappingHandlerMapping mapping = super.requestMappingHandlerMapping();
        mapping.setUseSuffixPatternMatch(false);
        return mapping;
    }

}
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)