Home/ Questions/Q 7899115
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-03T08:36:54+00:00

I am building an application using Spring Framework 3.1 I am having my controllers

  • 0

I am building an application using Spring Framework 3.1

I am having my controllers mapped with url containing path variables that stands for some id.
But I don’t want the user to tamper with the url and change the path variable value manually.
I want to restrict them from doing so.

I have already tried using the ShallowEtagHeaderFilter. But its not working the way it suppose to.
I don’t know whether I missed any configuration for the filter or its not working at all.

here is my web.xml where I have configured the dispatcher servlet and filter.

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/applicationContext.xml</param-value>
    </context-param>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
    <servlet>
        <servlet-name>dispatcher</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <filter>
        <filter-name>encodingFilter</filter-name>
        <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
        <init-param>
            <param-name>encoding</param-name>
            <param-value>UTF-8</param-value>
        </init-param>
        <init-param>
            <param-name>forceEncoding</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>

    <filter>
        <filter-name>eTagFilter</filter-name>
        <filter-class>com.abc.config.EtagFilter</filter-class>
    </filter>


    <servlet-mapping>
        <servlet-name>dispatcher</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

    <filter-mapping>
        <filter-name>encodingFilter</filter-name>
        <url-pattern>/</url-pattern>
    </filter-mapping>

    <filter-mapping>
        <filter-name>eTagFilter</filter-name>
        <servlet-name>dispatcher</servlet-name>
    </filter-mapping>

    <session-config>
        <session-timeout>
            30
        </session-timeout>
    </session-config>

</web-app>

Please help me with this.

Thanks in advance.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I don’t understand how ShallowEtagHeaderFilter fits into this picture, I think you misunderstood its functionality. It’s supposed to reduce network traffic by taking pages from the browser cache. That’s a totally different scenario from yours.

    Basically: if you don’t want users to tamper with URLs, you will need to have a way to verify that the URL was created by your application, usually a checksum parameter of some sort with an algorithm that’s not easy to guess.

    e.g. /site/12/user/12345/aB where aB is calculated based on /site/12/user/12345. Now if the user changes the URL to /site/13/user/12345/aB the checksum is wrong and you can send a 404 or a 400 or whatever error you want to send.

    I’d probably implement the checksum check as a Filter and write a utility method that creates URLs with checksum based on plain URLs (possibly you’ll need a JSP tag as well)

    • 0