Home/ Questions/Q 7640685
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T08:43:56+00:00

My existing Spring Web MVC application has the following handler mapping in the Controller.

  • 0

My existing Spring Web MVC application has the following handler mapping in the Controller.

    @RequestMapping(method = RequestMethod.GET, value = "/welcome")

I trigger the following requesthttp://www.example.com/welcomeand this works fine.

The problem is

http://www.example.com/welcome.check.blah

also works!!!

Also, a HTTP GET request URL to the application with script tag is getting redisplayed though it fails the authorization.

Example http://www.example.com/welcome<script>alert("hi")</script> gets redisplayed as such in the browser window and as a result of my authorization logic “Not authorized” message is displayed.

I wonder if this is a security issue and should I need do any encoding/filtering in the code?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This behavior is due to the option useSuffixPatternMatch which is true by default inside the RequestMappingHandlerMapping (I assume you use Spring MVC 3.1).

    useSuffixPatternMatch :
    Whether to use suffix pattern match (“.*”) when matching patterns to requests. If enabled a method mapped to “/users” also matches to “/users.*”. The default value is “true”.

    To set useSuffixPatternMatch to false, the easiest way is to use @Configuration :

    @Configuration
@EnableWebMvc
public class Api extends WebMvcConfigurationSupport {

    @Override
    public RequestMappingHandlerMapping requestMappingHandlerMapping() {
        RequestMappingHandlerMapping mapping = super.requestMappingHandlerMapping();
        mapping.setUseSuffixPatternMatch(false);
        return mapping;
    }

}
    • 0