CODEWITHSUNDEEP
javasecuritytomcatweb.xmlurl-pattern
Kalyan
Kalyan

Reputation: 498

Tomcat Web xml URL-Pattern does not accept urls with parameters?

I am trying to secure few pages on tomcat6 for a vended application. I was successful with securing using URL-pattern for the most of the URLs except two (marked with double asterisks in the code below). These two URLs are different in that they take parameters that determine the view. I would like to restrict those two views and hence have specified the exact URLs to be blocked/secured/authenticated as shown below. But tomcat does not secure them. 

 <security-constraint>
            <web-resource-collection>
                    <web-resource-name>TopBraid</web-resource-name>
                    <description>Restrict few pages that need security.</description>
                    <url-pattern>/tbl/admin/*</url-pattern>
                    <url-pattern>/tbl/sparql/*</url-pattern>
                    **<url-pattern>/tbl/swp?_viewClass=appConfig:ServerConfigEditor</url-pattern>**
                    **<url-pattern>/tbl/swp?_viewClass=adminConfig:AdminEditPage</url-pattern>**
                    <url-pattern>/tbl/sp_reset</url-pattern>
                    <url-pattern>/tbl/sp_redeploy</url-pattern>
            </web-resource-collection>
            <auth-constraint>
                    <role-name>SERVER_ADMINS</role-name>
            </auth-constraint>
    </security-constraint>
    <security-role>
            <role-name>SERVER_ADMINS</role-name>
    </security-role>
    <login-config>
            <auth-method>FORM</auth-method>
            <realm-name>TopBraid</realm-name>
            <form-login-config>
                    <form-login-page>/logon.html</form-login-page>
                    <form-error-page>/logonError.html</form-error-page>
            </form-login-config>
    </login-config>
    <security-constraint>
            <web-resource-collection>
                <web-resource-name>Public</web-resource-name>
                <description>Matches any page.</description>
                <url-pattern>/*</url-pattern>
            </web-resource-collection>
    </security-constraint>

I know the JSR spec might call them as invalid pattern. Wondering if the pattern could be somehow specified such that it is acceptable. Or are there other ways to restrict access to the two URLs I have listed above?

Upvotes: 1

Views: 2516

Answers (1)

eliteparakeet
eliteparakeet

Reputation: 879

Restricting access to specific URL parameters and their values, like you are trying to do above /tbl/swp?_viewClass=tblconfig:ConfigEditor /tbl/swp?_viewClass=admins:AdminsEditorPage is not possible from the web or application server. This type of filtering/URL restriction will have to be performed by the application itself, through creating a unique session for those views.

When the application server parses incoming URLs, their job is done once they reach the first "?" which is the first parameter to be passed to the application. From here, any type of filtering/access control must be handled by the application.

Upvotes: 1

Related Questions