• Post Reply Bookmark Topic Watch Topic
  • New Topic

url patterns in web.xml

 
guru prasanth
Ranch Hand
Posts: 103
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have a requirement that in for a web application only cerain urls should be allowed.for example www.mywebsite.com/example/test.html the user should not be able to pass www.mywebsite.com/example/test.html?name=test123.
How do i do that in web.xml
 
Tapas Chand
Ranch Hand
Posts: 602
9
BSD Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am not sure about web.xml but it can definitely be done by URL rewriting.
Hope it helps
http://tuckey.org/urlrewrite/
 
Tim Holloway
Bartender
Posts: 18417
58
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I believe that the "URL" part of that is the "www.mywebsite.com/example/test.html" and once you start adding the "?name=test123" what you have, technically speaking is a URI. URIs are a superset of URLs.

web.xml can apply security rules to the URL, but any add-ons to the URL, whether it's "?", "#" or whatever are stripped off before the security manager gets ahold of it. So if you want to disallow selected URL parameters, you'd have to code application logic for that.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65530
108
IntelliJ IDE Java jQuery Mac Mac OS X
  • Likes 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If your servlet is not expecting the name parameter than it will just be ignored; so what's the problem? If it is expecting a name parameter and the user can specify a value that could undermine security, that is a big issue that your application should be handling with proper authentication and authorization. Simply disallowing the URL would not be secure.
 
guru prasanth
Ranch Hand
Posts: 103
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for all your reply.The real issue is i have a war which consists on only static contents.And the pre-condition is no java code should be added.Even filters are not allowed.All
i can do it to tweak web.xml.Is it possible to stop the url anything other than the intended url.Let's say after www.website.com/index.html we shoulld not allow anyththingafter index.html.
is it possible to achive this using url patterns.
 
Tim Holloway
Bartender
Posts: 18417
58
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

is it possible to achive this using url patterns.


No. It is not.

And if it's only allowed to be static content, WHY is the "application" built on the JAVA platform? Why not just make it a standard Apache/Nginx/IIS/whatever app?

Sometimes I despair of "genius" management.
 
Tapas Chand
Ranch Hand
Posts: 602
9
BSD Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
guru prasanth wrote:the pre-condition is no java code should be added.Even filters are not allowed

I understand your problem. I have gone through the same pain in the past where I was not allowed to add "Java code".
So what I did is, I created a Filter, packaged it in a JAR and put it in Tomcat lib and modified web.xml for the filter.
I know it was not a nice thing to do.
May be the experienced people in this forum will suggest a better idea.

Tim Holloway wrote:Sometimes I despair of "genius" management

Always faced this problem when guys having half/no technical knowledge try to decide the technicalities of a project.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65530
108
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yeah, we've seen this before with such "genius" advice as "don't use the session" or "no servlets, just JSPs" and other non-sensical requirements.

I feel for the people stuck in such organizations.
 
Raghavan Muthu
Ranch Hand
Posts: 3381
Mac MySQL Database Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Simple terms, URL patterns are how to deal with the URLs and *NOT* to avoid them.

If you want to take charge of any extra Query String Parameters in the URL should there be any, you might have to take care of it with the help of the Web Server (Apache, IIS etc.,) that forwards the request your Servlet Container.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!