12

My existing Spring Web MVC application has the following handler mapping in the Controller.

    @RequestMapping(method = RequestMethod.GET, value = "/welcome")

I trigger the following requesthttp://www.example.com/welcomeand this works fine.

The problem is

http://www.example.com/welcome.check.blah

also works!!!

Also, a HTTP GET request URL to the application with script tag is getting redisplayed though it fails the authorization.

Example http://www.example.com/welcome<script>alert("hi")</script> gets redisplayed as such in the browser window and as a result of my authorization logic "Not authorized" message is displayed.

I wonder if this is a security issue and should I need do any encoding/filtering in the code?

Raghav
  • 1,014
  • 2
  • 16
  • 34

6 Answers6

15

This behavior is due to the option useSuffixPatternMatch which is true by default inside the RequestMappingHandlerMapping (I assume you use Spring MVC 3.1).

useSuffixPatternMatch : Whether to use suffix pattern match (".*") when matching patterns to requests. If enabled a method mapped to "/users" also matches to "/users.*". The default value is "true".

To set useSuffixPatternMatch to false, the easiest way is to use @Configuration :

@Configuration
@EnableWebMvc
public class Api extends WebMvcConfigurationSupport {

    @Override
    public RequestMappingHandlerMapping requestMappingHandlerMapping() {
        RequestMappingHandlerMapping mapping = super.requestMappingHandlerMapping();
        mapping.setUseSuffixPatternMatch(false);
        return mapping;
    }

}
Chexpir
  • 1,876
  • 18
  • 33
tbruyelle
  • 12,895
  • 9
  • 60
  • 74
  • Thanks for pointing out about the usesuffixPatternMatch. Will try that. Do you have any inputs regarding the other point - Is this a security issue? Can we prevent browser from redisplaying the URL as entered? – Raghav Mar 13 '12 at 17:42
  • I tested it and yes the URL is redisplayed but the – tbruyelle Mar 13 '12 at 18:17
7

In current Spring Java config, there is a slightly easier way to configure the same thing:

@Configuration
public class DispatcherConfig extends WebMvcConfigurationSupport {

    @Override
    protected void configurePathMatch(PathMatchConfigurer configurer) {
        configurer.setUseSuffixPatternMatch(false);
    }

}
Heikki Särkkä
  • 91
  • 1
  • 5
1

You can use the useDefaultSuffixPattern property.

<bean class="org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping">
    <property name="useDefaultSuffixPattern" value="false" />
</bean>

Also refer URL Pattern Restricting in SPRING MVC

Community
  • 1
  • 1
saurzcode
  • 827
  • 12
  • 30
1

When you use Spring to request a mapping of that type (i.e. "/anything") Spring actually maps your controller to several URLs:

/welcome
/welcome.*
/welcome/

To prevent this - either be more specific when you RequestMapping (i.e. /welcome.htm ), or manually map the URL to controller in your Xml config:

<bean class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
        <property name="mappings">
            <props>
                <prop key="/welcome">YourControllerBean</prop>
            </props>
        </property>
</bean>


Cheers, Pete

Petey22uk
  • 85
  • 1
  • 6
  • Thanks for the response. But am already using annotation based request handler mapping and I cannot use ".htm" suffix :( – Raghav Mar 13 '12 at 17:57
1

You can also restrict this in the web.xml by mentioning the url pattern. Instead of giving "/", you can mention "/.htm" in your web.xml.

Something like 

<servlet-mapping>
        <servlet-name>dispatcher</servlet-name>
        <url-pattern>/application/*.htm</url-pattern>
    </servlet-mapping>
raddykrish
  • 1,866
  • 13
  • 15
  • Unfortunately, I cannot do that. The incoming request comes in the format of "/welcome?key=value" and not "/welcome.html". This has been done to mask the underlying technology. – Raghav Mar 13 '12 at 17:40
  • Ohh ok..acceptable...but to me it doesn't reveal any underlying technology rather it specifies the url pattern though... – raddykrish Mar 13 '12 at 17:43
0

Starting from Spring framework 5.3 useDefaultSuffixPattern is deprecated and turned off by default. Spring upgrade notes, section "Use of Path Extensions Deprecated in Spring MVC"

Olavi Vaino
  • 422
  • 5
  • 10