Security-constraint web.xml url-pattern safety

Question

I was wondering if the following configuration would be safe:

Webpages accessible at locations /ManageXXXX.do, /ManageYYYY.do, ... should only be able to be accessed by admin role, every other page is available to anyone.

I have configured the web.xml file as such:

     <security-constraint>
        <web-resource-collection>
            <url-pattern>/Manage*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>    
        </auth-constraint>  
    </security-constraint>

Now I was wondering how reliable this was to people trying to get past the security. Is this guaranteed to block my Manage* pages from unauthorized users? I'd just like to know how safe this kind of pattern matching is.

Answer 1

From Servlet API Specification: http://www.jcp.org/aboutJava/communityprocess/mrel/jsr154/

SRV.11.2 Specification of Mappings
In the Web application deployment descriptor, the following syntax is used to define
mappings:
• A string beginning with a ‘/’ character and ending with a ‘/*’ suffix is used for path mapping.
• A string beginning with a ‘*.’ prefix is used as an extension mapping.
• A string containing only the ’/’ character indicates the "default" servlet of
the application. In this case the servlet path is the request URI minus the con-
text path and the path info is null.
• All other strings are used for exact matches only.

According to Servlet API Specification the pattern /Manage* is “exact matches only” and it is not what you want. Please move all resources for role admin to /Manage/ and configure pattern <url-pattern>/Manage/*</url-pattern>