1

I have this piece of code which I thought was a fairly standard way of redirect to another servlet

RequestDispatcher dispatch =
    request.getRequestDispatcher("/ApplicationExceptionHandler");                       
dispatch.forward(request, response);
return;

The problem is when code like this runs through Static Code Analysis tools like AppScan it shows that the code is vulnerable to attacks. http://cwe.mitre.org/data/definitions/288.html

I have a servlet filter authenticating most URLs. In spite of this, the tool makes me non-complaint.

Any ideas on how to get around this?

Kara
  • 6,115
  • 16
  • 50
  • 57
user3117341
  • 11
  • 1

1 Answers1

0

If you do not need to forward the current request in its current state, then you can simply issue a redirect to the new resource. The new request will go through the app server's authentication checks, and presumably that is something the inspection deems valid.

However, this like all other static analysis, can't be 100% sure that code is actually vulnerable to this kind of authentication problem. You may be fine. If you understand the problem and are sure your architecture would not allow it, then this can be safely ignored.

Sean Owen
  • 66,182
  • 23
  • 141
  • 173