0

I was wondering if the following configuration would be safe:

Webpages accessible at locations /ManageXXXX.do, /ManageYYYY.do, ... should only be able to be accessed by admin role, every other page is available to anyone.

I have configured the web.xml file as such:

     <security-constraint>
        <web-resource-collection>
            <url-pattern>/Manage*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>    
        </auth-constraint>  
    </security-constraint>

Now I was wondering how reliable this was to people trying to get past the security. Is this guaranteed to block my Manage* pages from unauthorized users? I'd just like to know how safe this kind of pattern matching is.

Improve this question
0

1 Answer 1

Reset to default
1

From Servlet API Specification: http://www.jcp.org/aboutJava/communityprocess/mrel/jsr154/

SRV.11.2 Specification of Mappings
In the Web application deployment descriptor, the following syntax is used to define
mappings:
• A string beginning with a ‘/’ character and ending with a ‘/*’ suffix is used for path mapping.
• A string beginning with a ‘*.’ prefix is used as an extension mapping.
• A string containing only the ’/’ character indicates the "default" servlet of
the application. In this case the servlet path is the request URI minus the con-
text path and the path info is null.
• All other strings are used for exact matches only.

According to Servlet API Specification the pattern /Manage* is “exact matches only” and it is not what you want. Please move all resources for role admin to /Manage/ and configure pattern <url-pattern>/Manage/*</url-pattern>

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Strange, because the way I have it set up now it's handling security correctly with the url-pattern set as /Manage* for pages such as /ManageX.do, /ManageY.do etc.
As you see it is copy from the specification :) Please ensure that users without admin role can not access it
I have verified that users without admin role cannot access any of the /Manage* pages.
So, the implementation is not according to the specification :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.