Spring MVC application filtering HTML in URL - Is this a security issue?

Solution 1:

This behavior is due to the option useSuffixPatternMatch which is true by default inside the RequestMappingHandlerMapping (I assume you use Spring MVC 3.1).

useSuffixPatternMatch : Whether to use suffix pattern match (".*") when matching patterns to requests. If enabled a method mapped to "/users" also matches to "/users.*". The default value is "true".

To set useSuffixPatternMatch to false, the easiest way is to use @Configuration :

@Configuration
@EnableWebMvc
public class Api extends WebMvcConfigurationSupport {

    @Override
    public RequestMappingHandlerMapping requestMappingHandlerMapping() {
        RequestMappingHandlerMapping mapping = super.requestMappingHandlerMapping();
        mapping.setUseSuffixPatternMatch(false);
        return mapping;
    }

}

Solution 2:

In current Spring Java config, there is a slightly easier way to configure the same thing:

@Configuration
public class DispatcherConfig extends WebMvcConfigurationSupport {

    @Override
    protected void configurePathMatch(PathMatchConfigurer configurer) {
        configurer.setUseSuffixPatternMatch(false);
    }

}

Solution 3:

When you use Spring to request a mapping of that type (i.e. "/anything") Spring actually maps your controller to several URLs:

/welcome
/welcome.*
/welcome/

To prevent this - either be more specific when you RequestMapping (i.e. /welcome.htm ), or manually map the URL to controller in your Xml config:

<bean class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
        <property name="mappings">
            <props>
                <prop key="/welcome">YourControllerBean</prop>
            </props>
        </property>
</bean>


Cheers, Pete

Solution 4:

You can also restrict this in the web.xml by mentioning the url pattern. Instead of giving "/", you can mention "/.htm" in your web.xml.

Something like

<servlet-mapping>
        <servlet-name>dispatcher</servlet-name>
        <url-pattern>/application/*.htm</url-pattern>
    </servlet-mapping>