It it sometimes useful to be able to use a rule to block certain urls. For
example, when using clean urls, it might be desired to also block dirty urls
that have an explicit .jsp extension and only allow the clean urls to pass
through, in order to guarantee that all external urls to a site will be clean.
While it is possible to use a configuration such as
<from>^/.+\.jsp$</from>
<set type="status">404</set>
<to>null</to>
This results in a blank page with 404 status. It would be much nicer if there
was a way to invoke response.sendError(404) so that the standard container
configured error page is used. This could of course be useful for any error
code, e.g. 403 (with special container handling page) etc., and in some cases
this may also have security consequences (leaking the information that a page
is processed differently, i.e. a resource exists but is explicitly blocked, vs
one that simply does not exists, is considered bad for security).
Perhaps a new type can be added to invoke sendError, such as
<to type="error">404</to>
Or something of the sort.
Original issue reported on code.google.com by amichair on 3 Jul 2014 at 2:29
Original issue reported on code.google.com by
amichairon 3 Jul 2014 at 2:29