如何保护转发URL

Question

Is there a way to secure a forward URL?

To be clear, I've an error handler:

@Component
public class MyAuthenticationFailureHandler implements
        AuthenticationFailureHandler {

    @Override
    public void onAuthenticationFailure(HttpServletRequest request,
            HttpServletResponse response, AuthenticationException exception)
            throws IOException, ServletException {

        if (exception.getClass().isAssignableFrom(
                MyException.class)) {
            MyException myException = (MyException) exception;
            RequestDispatcher dispatcher = request.getRequestDispatcher("/signup/exception");
            request.setAttribute("userID", myException.getUserID());
            dispatcher.forward(request, response);
        }
    }

}

and a web controller:

@Controller
@RequestMapping("/signup")
public class SignupController {

    @RequestMapping("/exception")
    public ModelAndView signup() {
        ModelAndView model = new ModelAndView(new InternalResourceView("/WEB-INF/jsp/signup.jsp", true));
        return model;
    }

}

I'd like that the route http://{hostname:port}/signup/exception will be accessible only as forward from my own handler, not directly (by writing URL and params on browser bar).

Answer 1

Add an attribute like

request.setAttribute("isForwarded","True")

in handler and check that attribute inside your controller.

If yes, go ahead else redirect to appropriate page.

Answer 2

I didn't test it, but I know that servlet containers refuse to answer to request relative to WEB-INF, but that you can forward to jsp servlets under WEB-INF. May be you could try to use an url like /WEB-INF/signup/exception ?

Alternatively, I think you're using Spring Security. I do not think that security filters are applied to forwarded requests. What gives the following intercept-url ?

<intercept-url pattern="/signup/exception" access="denyAll" />