This question already has answers here:
Servlet and path parameters like /xyz/{value}/test, how to map in web.xml?
(7 answers)
Closed 2 years ago.
I have a question on if this is possible to do. I have a profile servlet that has 2 url patterns, /profile and /profile/* .So in my project I have a user use GET /profile to get all of the profiles in JSON. Each profile has a favorite team string. Also, I use /profile/* for getting specific profiles by doing /profile/2 for example. Then I have profileFavTeam servlet that I want to get all of the data of the profile favorite team. So I need to get the profiles ID so I want the url to be /profile/"ID"/favteam and this would return the teams statistics.
So for example, If the profile ID is 2 has a favorite team called Liverpool, and I entered /profile/2/favteam, it would show the stats of Liverpool
So would my url for profileFavTeam in web.xml look like this because i want the user to put a number in ID /profile/*/favteam ?
But would this work if I have /profile/* url pattern in my profile servlet?
This would not work. You basically haven path mapping (ending with /*) or extension mapping (beginning with *.). See section 12.2 of the Servlet spec
In the Web application deployment descriptor, the following syntax is used to define mappings:
■ A string beginning with a ‘/’ character and ending with a ‘/*’ suffix is used for path mapping.
■ A string beginning with a ‘*.’ prefix is used as an extension mapping.
■ The empty string ("") is a special URL pattern that exactly maps to the application's context root, i.e., requests of the form http://host:port//. In this case the path info is ’/’ and the servlet path and context path is empty string (““).
■ A string containing only the ’/’ character indicates the "default" servlet of the application. In this case the servlet path is the request URI minus the context path and the path info is null.
■ All other strings are used for exact matches only.
If the effective web.xml (after merging information from fragments and annotations) contains any url-patterns that are mapped to multiple servlets then the deployment must fail.
You should implement the Front Controller pattern, with a single Servlet receiving all the requests, and delegate them to the processing objects according to the pattern.
Related
If you run this simple RestController with Spring Boot (2.5.3):
#RestController
public class SampleRestController {
#GetMapping("/search/{criteria}")
public String hello(#PathVariable(name = "criteria") String criteria) {
return "Hello: " + criteria;
}
}
And try to open this link in your browser:
http://localhost:8080/search/%22%5C%22bug%5C%22%22
Then you will get "400 Bad Request", returned by the embedded Tomcat.
I don't understand, is this a bug in Tomcat ? Is this not a valid URL ?
EDIT: As per some of the replies: I went step-by-step through the Tomcat 9.0.50 source-code and saw the line about ALLOW_BACKSLASH.
And neither of the values true or false is good for me, because with true it replaced \ with / and with false it returns 400 Bad Request.
What I needed was to allow backslash without replacing it with slash.
My question is really whether this is a bug in Tomcat, since for me the URL seems to be valid. I am not technically putting a \ into the URL, I am putting a %-encoded backslash. What is the purpose of the %-encoding if not to allow the user to send any character in the URL ?
Refer to Piotr P. Karwasz comments above for better explanation.
The tomcat version correspond to Spring Boot (2.5.3) is 9.0.50.
By checking the source code of CoyoteAdaptor and Tomcat System parameter documentation, the url checking is configured by a flag ALLOW_BACKSLASH through System Property org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH, with false as default value.
...
protected static final boolean ALLOW_BACKSLASH =
Boolean.parseBoolean(System.getProperty("org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH", "false"));
...
To allow backslash in the URL, we can add below when running the application.
-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true
This property is replaced after tomcat 10.0.0-M4.
Remove org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH system property, replaced by the allowBackslash attribute on the Connector. (remm)
While samabcde's answer provides a solution for your problem, let me answer to your more general questions:
your URL is perfectly valid although RFC 3986, section 7.3 allows some restriction to be imposed for security reasons,
these restrictions are not a Tomcat bug, as they were introduced as an answer to CVE-2007-0450. Before Tomcat 6.0.10 the sequences /, %2F and %5C were used to split the request URI into components. If Tomcat was behind a proxy that forwarded only an application (let's say /app), you could use /app/%5C../manager/html to access Tomcat Manager.
If you set org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true you expose your system to the aforementioned vulnerability and all %5C sequences will appear as / in the servletPath and pathInfo ServletRequest properties. Since the requestURI property contains the undecoded URI path (cf. this question) your example will work.
Yes it seems like an invalid URL, you also get an error by Spring Boot refering to RFC 7230 and RFC 3986 specifications.
But you could use some query parameter to avoid this error, e.g.:
#GetMapping("/search")
public String hello(#RequestParam(name = "criteria", required = false) String criteria) {
return "Hello: " + criteria;
}
And call it like:
http://localhost:8080/search?criteria=%22%5C%22bug%5C%22%22
I’m trying to setup the emulator so I can develop the firebase functions safely before deploying them. I just noticed that some REST calls I’m doing now fails - anybody know if it is not possible to use the REST feature of the RealTime DB https://firebase.google.com/docs/reference/rest/database
I'm trying to hit it with this URL
http://localhost:9000/?ns=<PROJECT ID>-default-rtdb/development/DISHES.json
because this is what I set the firebaseConfig.databaseURL to (suggested here by Google)
Bonus info: If I try to do a GET to the URL via postman it creates another database called fake-server (http://localhost:4000/database/fake-server: null) 🤔
According to RFC 3986, the path must come before the query parameters in URLs. Your URL should be instead written as:
http://localhost:9000/development/DISHES.json?ns=<PROJECT ID>-default-rtdb
Note how the corrected URL has the query parameter appended to the very end. (The URL you've provided in the question will be parsed as having one query parameter ns with the value of <PROJECT ID>-default-rtdb/development/DISHES.json, which is not a valid namespace name. That explains the errors you've seen.)
FYI, it looks like you're constructing the URL by concatenating the string databaseURL with the path -- this may lead to surprising results as you've seen above. Considering using a URL parser / formatter in your language / framework of choice instead, which handles URL parts correctly. For example, in JavaScript you can use the snippet below:
const url = new URL(databaseURL); // Parse URL (including query params, if any)
url.pathname = '/development/DISHES.json';
yourFetchingLogic(url.toString()); // Reconstruct the URL with path replaced
I have used openAM for enabling SSO(Single Sign On) and for authentication for several components (web app, J2EE app). When creating and configuring a policy in OpenAM Admin Console, It is needed to add
http://app1.kpp.com:4413/myApp*?*
and
http://app1.kpp.com:4413/myApp/* in Available resource pattern field.
I have understood the 2nd pattern. it means all resource pattern which have a suffix of "http://app1.kpp.com:4413/myApp"
but what does it mean by *?* in first resource pattern: http://app1.kpp.com:4413/myApp*?*
Thanx for any help.
URLs with request parameters (the 1st parameter is appended with '?') are not matched by the '*' pattern, hence you explicitly need the 2nd rule to match those requests.
However this is 'authorization' and not 'authentication' or 'SSO'.
If you only need 'authentication' and 'SSO' you can use 'SSO only mode' for agents and there is no need for any URL policy.
I have an API that includes an account ID as part of the url (e.g. /account/7319310/report) where 7319310 is then account ID.
There are different credentials for each account, stored in MySQL although they could be stored in another manner if it made it easier.
I'd like Paw to automatically use the correct credentials based on the account parameter in the URI (it's always the second element) - is this possible?
In paw you can use a regex Dynamic to extract the data you need from the url:
Paw does not have a direct connection to MySQL, you can make http request from a custom value but you would need a server running to push these request to the server. A better option would be to save the credentials into a flat json file.
{
"1234334": {
"key1": 123456,
"key2": 345211
}
}
With this saved you can load this json file in a Custom Dynamic Value:
Here you can embed the extracted user id by using the regex dynamic value. inline in the code. Paw will reload the file on every request so you could set up a cron job to dump your database to this JSON file.
I have a file in my Alfresco (4.1.5) repository of which I want to read the content through the Alfresco services REST API.
For the lookup, I want to use the file path, not the UUID. However, the lookup by path does not work, only the lookup by UUID works. I cannot find the mistake.
This is the file path:
DisplayPath & File Name:
/Company Home/Data Dictionary/Cleaner Configs/cleaner.properties
QNamePath:
/app:company_home/app:dictionary/cm:Cleaner_x0020_Configs/cm:cleaner.properties
Lookup by UUID works with the following REST API url:
http://localhost:8080/alfresco/service/cmis/i/2391adf9-365c-4959-bf30-8f001154c100/content
However, lookup by path only does not work. Neither with the primary path nor the display path:
http://localhost:8080/alfresco/service/cmis/p/app:company_home/app:dictionary/cm:Cleaner_x0020_Configs/cm:cleaner.properties/content?a=false
http://localhost:8080/alfresco/service/cmis/p/Company%20Home/Data%20Dictionary/Cleaner%20Configs/cleaner.properties/content?a=false
I am getting a 404 error in both cases:
Message: 10080001 Unable to find ObjectPathReference[storeRef=workspace://SpacesStore,path=/app:company_home/app:company_home/app:dictionary/cm:Cleaner_x0020_Configs/cm:cleaner.properties]
Exception: org.springframework.extensions.webscripts.WebScriptException - 10080001 Unable to find ObjectPathReference[storeRef=workspace://SpacesStore,path=/app:company_home/app:company_home/app:dictionary/cm:Cleaner_x0020_Configs/cm:cleaner.properties]
Reference:
http://wiki.alfresco.com/wiki/CMIS_Web_Scripts_Reference#Get_Content_.28getContent.29
Gets the content stream for the specified document, or gets a
rendition stream for a specified rendition of a document.
GET /alfresco/service/cmis/p{path}/content{property}?a={attach?}
I found the problem, thanks to #Gagravarr for the hint:
I have to use the display path, but leave out /Company%20Home/ in the path, because the path used in the request url is taken as relative to the /Company%20Home node.
This works:
http://<host:port>/alfresco/service/cmis/p/Data%20Dictionary/Cleaner%20Configs/cleaner.properties/content?a=false