How to Restrict access to web-inf folder from accessing outside without using security-constraint

Question

My Web application structure is

>     App1.war
>     -WEB-INF
>        - web.xml
>        - classes
>        - config etc.

and due to some other functionality implementation, we have added a filter

<filter-mapping>
    <filter-name>CustomerFilter</filter-name>
    <url-pattern>/customer/pages/*</url-pattern>
</filter-mapping>

And the filter class CustomerFilter.java

  public void doFilter(ServletRequest re, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        String requestURI = ((HttpServletRequest)re).getRequestURI();
        if (requestURI.endsWith(".action")) {
            chain.doFilter(request, response);
        }
        else {
            request.getRequestDispatcher(
                    requestURI.replace(config.getServletContext().getContextPath() + "/customer/pages", ""))
                    .forward(request, response);
        }
    }

due to this change, I can directly access the web.xml via URL yourserver/App1/customer/pages/WEB-INF/web.xml and it's a security vulnerability, so I added a security-constraint to solve this leakage. My question is do we have any other ways to handle this efficiently? or what is the other solutions for Directory traversal. ex:

<security-constraint>
  <display-name>SecurityConstraintForDirA</display-name>
  <web-resource-collection>
    <web-resource-name>DirAResources</web-resource-name>
    <url-pattern>customer/pages/WEB-INF/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>adm</role-name>
  </auth-constraint>  
</security-constraint>

Keep in mind my application is a struts-based old web application.

Normally, servlet containers should **not** allow access to files within the WEB-INF and META-INF folders of the .war package. Are you saying that accessing `http://yourserver/App1/WEB-INF/web.xml` fetches the web.xml? If so, I suspect you have a serious misconfiguration! It could be something explicitly giving access to WEB-INF (e.g. a servlet that allows downloads from there), a static server having access to the folder (e.g. Apache), or who knows what else. — Nikos Paraskevopoulos, Mar 26 '21 at 16:40
Actually, it's not http://yourserver/App1/WEB-INF/web.xml, we have some dynamic reference mapped so http://yourserver/App1/customer/pages/WEB-INF/web.xml fetches the web.xml. so the ask was is that file with security-constraint or do i need to do any other implementation — unknown, Mar 29 '21 at 10:02
You should probably take a look at the component that serves `yourserver/App1/customer/*`. — Nikos Paraskevopoulos, Mar 29 '21 at 10:19
@NikosParaskevopoulos, I have updated my question. please have a look and answer — unknown, Mar 31 '21 at 10:15
This is a bug in your own code behind `/customer/*`. Fix it over there. — BalusC, Mar 31 '21 at 10:37
@BalusC, using security-constraint not a solution? its little difficult to touch the code since that have been implemented many places — unknown, Mar 31 '21 at 17:30

How to Restrict access to web-inf folder from accessing outside without using security-constraint

0 Answers0