Home/ Questions/Q 865331
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T09:37:30+00:00

I am fixing some old defects and as part of one defect, I need

  • 0

I am fixing some old defects and as part of one defect, I need to make sure that some requests are being only POST to the JSP page instead of a GET request. The application have a form which submits data to another JSP page (I know its wrong and against MVC but too late to fix it), since it is a JSP page, so we can POST the request or else we can GET the request. In case of a malicious user, can read the form and send the request as a GET from the browser like http://host:80/somejsp.jsp?param=value&param=value etc. In that case, it becomes a violation. I need to make sure that such GET requests are not processed. One way to do is to perform the below steps in the jsp page –

if (request.getMethod().equals("GET")) {
   // reroute the user as it is not a valid req
}

Is there any other way to do it?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Two solutions:

    1. Add a <security-constraint> with an empty <auth-constraint> on an <url-pattern> of *.jsp and <http-method> of GET which will block GET requests on JSP files to everyone (as suggested by McDowell):

      <security-constraint>
    <display-name>Restrict GET requests on JSP files</display-name>
    <web-resource-collection>
        <web-resource-name>JSP files</web-resource-name>
        <url-pattern>*.jsp</url-pattern>
        <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint />
</security-constraint>

    2. Create a Filter which listens on an <url-pattern> of *.jsp and does basically the following in the doFilter() method.

      if (((HttpServletRequest) request).getMethod().equals("GET")) {
    ((HttpServletResponse) response).sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
} else {
    chain.doFilter(request, response);
}

    No need to copypaste the same over all JSP pages which would only be prone to IllegalStateException: response already committed errors.

    • 0