Home/ Questions/Q 8351661
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-09T08:42:15+00:00

I am developing a web application, and in the web.xml I have some queries

  • 0

I am developing a web application, and in the web.xml I have some queries for authentication process. So if a person sees the query he could easily have access to those tables of security. Is it possible to have access to my web.xml or I should not be worried at all?

To be more specific, I intorduced my security configuration in web.xml and in that security context file I have queries for authentication. Here is the part which I’m talking about (I’m using Spring Security)

<sec:authentication-manager alias="authenticationManager">
    <sec:authentication-provider>
        <sec:jdbc-user-service data-source-ref="dataSource"
            group-authorities-by-username-query="
                                    SELECT acg.ID, acg.GROUP_NAME, a.ROLE_NAME AS AUTHORITY 
                                    FROM USER_GROUP acg, USER_GROUP_MAPPING agm, PRINCIPAL_ROLE_MAPPING ga, ROLE a, INVESTOR_USER us
                                    WHERE us.USERNAME = ? and agm.USER_ID = us.ID and acg.ID = ga.PRINCIPAL_ID and acg.ID = agm.USER_GROUP_ID and ga.ROLE_ID = a.ID
                                "
            users-by-username-query="SELECT USERNAME,PASSWORD,IS_ACTIVE FROM INVESTOR_USER where USERNAME = ?"
            authorities-by-username-query="
                                    SELECT ua.PRINCIPAL_ID AS USERNAME, a.ROLE_NAME AS AUTHORITY 
                                    FROM PRINCIPAL_ROLE_MAPPING ua, ROLE a, INVESTOR_USER us 
                                    WHERE us.USERNAME = ? and ua.PRINCIPAL_ID = us.ID and ua.ROLE_ID = a.ID
                                " />

        <sec:password-encoder ref="passwordEncoder"/>                               
        <!-- <<<<<<<<<<<<<<<< Encoding Password >>>>>>>>>>>>>>>> -->
    </sec:authentication-provider>
</sec:authentication-manager>

Is it bad? Shouldn’t I be using it?

Please justify your answers with some references.
And of course, please enlighten me with other alternatives.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Is web.xml accessible from client side?

    No. Why ? Because as per the Servlet Specification all accessible resources are exposed via servlets. If you haven’t explicitly defined a servlet (or a filter, or a listener) to handle/expose .xml resources you don’t need to worry.

    In general it is the web container’s responsibility to protect configuration resources. You can be fairly certain it does so successfully.

    The code you have given as an example is not your web.xml, but your security namespace config. This as the web.xml is also something you should not be worried about.

    In general a servlet container will not make anything publicly accesible unless you specifically tell it to.

    Is it bad? Shouldn’t I be using it?

    In general no its not bad. You can also conclude that if spring security supports SQL in its configuration then they also view it as a normal practice.

    As a personal preference however I tend to prefer using custom UserDetailsService and AuthenticationManager implementations to handle user authentication as this keeps database related code out of the security definitions. This however is just a preference.

    • 0