web.xml security constraint configuration not considering URL query string

Question

I am running a web application in Tomcat server (OSGI based). I want to restrict the user from accessing URLs like

http://localhost:53307/myapp/servlet/startPage?PAGEURL=../../myapp/x/y/license.txt

I've configured web.xml as

 <security-constraint>
    <web-resource-collection>
        <web-resource-name>Lic</web-resource-name>
        <url-pattern>/x/y/*</url-pattern>
    </web-resource-collection>
   <auth-constraint />
</security-constraint>

This is still allowing the user to access the above URL. I think the URL pattern looks for the string starting after the context name. It's not looking for matching values in the query string.

I want a configuration which prevents the user from accessing a URL (including the query string) that matches the configured value. Please help me configure it.

score 1 · Answer 1 · answered Dec 07 '11 at 09:24

1

I fear you will need to write your own filter to check the query parameters.

answered Dec 07 '11 at 09:24

Tassos Bassoukos

16,017
2
36
40

score 0 · Accepted Answer · answered Dec 23 '11 at 06:21

0

It's working fine now. I made some mistake while testing.. The configuration above is fine

answered Dec 23 '11 at 06:21

javalearner

3,314
7
26
33

web.xml security constraint configuration not considering URL query string

2 Answers2