I am working with Fortify on my latest project, and have a recommendation to update my pattern matcher from an Ant Matcher for Spring MVC endpoints to MVC request matchers. The actual text of the recommendation is this...
Fortify Recommendation:
To protect Spring MVC endpoints, use the MVC request matcher instead of the Ant matcher.
Every example of the use of MVC matchers is in a Java context, and this file is an XML file, and the lines that Fortify is specifically calling out are formatted like this. I am not sure what to update or do to get rid of this recommendation and would take any suggestions.
<http pattern="/fu.jsp" sfuecurity="none" />
<http pattern="/bar/**" security="none" />
<intercept-url pattern="/fubarLogins" access="allAccess" />
This is how I resolved it.
<http auto-config="true" request-matcher="mvc">
<intercept-url pattern="/fubar.jsp" />
</http>
It did leave me with an application context error that I had to go about resolving later on.