2

I am using spring 3.2.2 jars and have a controller with mapping "/validate". If i invoke "/validate.123" in browser url, this mapping method get executed which shouldn't be. Is't a problem in my code or spring issue?

@Controller
@SessionAttributes
public class ValidationController {

    @RequestMapping(value = "/validate", method = { RequestMethod.POST,
            RequestMethod.GET })
    public ModelAndView validatCheck(@ModelAttribute("po") PO po){
    }

web.xml

 <web-app xmlns="http://java.sun.com/xml/ns/javaee" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="2.5" 
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_5.xsd">
    <display-name>My Application</display-name>

    <servlet>
        <servlet-name>mvc-dispatcher</servlet-name>
        <servlet-class>
            org.springframework.web.servlet.DispatcherServlet
        </servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>mvc-dispatcher</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/mvc-dispatcher-servlet.xml</param-value>
    </context-param>
    <listener>
        <listener-class>
             org.springframework.web.context.ContextLoaderListener
        </listener-class>
    </listener>
    <error-page>
        <exception-type>java.lang.Throwable</exception-type>
        <location>/WEB-INF/pages/error.jsp</location>
    </error-page>
    <welcome-file-list>
        <welcome-file>home</welcome-file>
    </welcome-file-list>
</web-app>

mvc-dispatcher-servlet.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mvc="http://www.springframework.org/schema/mvc"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:aop="http://www.springframework.org/schema/aop" xmlns:tx="http://www.springframework.org/schema/tx"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
        http://www.springframework.org/schema/aop 
        http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
        http://www.springframework.org/schema/tx
        http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
        http://www.springframework.org/schema/context
        http://www.springframework.org/schema/context/spring-context-3.0.xsd
        http://www.springframework.org/schema/mvc 
        http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd">

    <context:component-scan base-package="com.app.controller" />


    <bean class="org.springframework.web.servlet.view.UrlBasedViewResolver">
    <!--Don't add suffix or prefix like you do with .jsp files-->
        <property name="viewClass" value="org.springframework.web.servlet.view.tiles3.TilesView"/>
          <property name="order" value="0"/>        
    </bean>

    <bean id="tilesConfigurer" class="org.springframework.web.servlet.view.tiles3.TilesConfigurer" >
        <property name="definitions">
            <value>/WEB-INF/tiles.xml</value>
        </property>
    </bean>

    <bean
        class="org.springframework.web.servlet.view.InternalResourceViewResolver">
        <property name="prefix">
            <value>/WEB-INF/</value>
        </property>
        <property name="suffix">
            <value>.jsp</value>
        </property>
        <property name="order" value="1" />
    </bean>



    <mvc:annotation-driven />
    <bean class="org.springframework.web.servlet.handler.BeanNameUrlHandlerMapping" />
    <mvc:resources mapping="/resources/**" location="/resources/" />


</beans>
Aniket Kulkarni
  • 12,825
  • 9
  • 67
  • 90
skumar
  • 985
  • 4
  • 14
  • 37
  • probably a problem with your code what do you want /validate.123 to call? Can you have the request mapping on your class and then specific values on methods? – bobwah Apr 21 '15 at 16:44
  • it came out during testing. If dot and some characters are added after resource name, the controller request mapping get invoked. This is not good and it causes security problem in the code. The above one is just an example, i have lot of controllers with the mappings. I dont want /validate.123 to invoke the /validate request mapping, instead it should throw 404 – skumar Apr 21 '15 at 16:47
  • can you please attach your web.xml code with your question?? – Dev Apr 21 '15 at 16:58
  • @Dev, updated the xml file in the question – skumar Apr 21 '15 at 17:06
  • Check out this link https://jira.springsource.org/browse/SPR-5636?focusedCommentId=44259&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-44259 but it should be solved at your spring version 3.3.2 according to this. – erhun Apr 21 '15 at 17:47

1 Answers1

3

As you can see in your deployment-descriptor(web.xml) you have written something like this 

    <servlet-mapping>
        <servlet-name>mvc-dispatcher</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

Which display to which URL pattern your dispatcher-servlet will respond

here <url-pattern>/</url-pattern> convey that dispatcher-servlet will respond to any URL pattern ,If you want to restrict dispatcher-servlet to be respond to specific URL you can define Url pattern somthing like below

        <servlet-mapping>
            <servlet-name>mvc-dispatcher</servlet-name>
            <url-pattern>*.htm</url-pattern>
            <url-pattern>*.html</url-pattern>
        </servlet-mapping>
Dev
  • 2,326
  • 24
  • 45
  • All my urls are like this, dont have any extension. /validate, /query, /checkForError, /submitValidate – skumar Apr 21 '15 at 17:47
  • then i have fear all URL are accessible , as per example /validate as validate.123 or validate.htm etc – Dev Apr 21 '15 at 17:53
  • Ok. thanks for the expansion. is there any solution other than fixing the url with extension? Is't mandatory for spring web app to have url with extension? – skumar Apr 21 '15 at 17:57
  • 1
    I don't think so there is any other way but you can always define multiple and all possible url patterns as shown above example and all other patterns will get rejected automatically – Dev Apr 21 '15 at 18:00