[Original] For the full details see AntPatternComparator in AntPathMatcher. Note that the PathMatcher can be customized (see
Section 21.16.11, "Path Matching" in the section on configuring Spring MVC).
更多的细节请参考这两个类: AntPatternComparator和 AntPathMatcher。值得一提的是,PathMatcher类是可以配置的(见“配
置Spring MVC”一节中的21.16.11 路径的匹配一节)。
带占位符的路径模式(path patterns)
[Original] Patterns in @RequestMapping annotations support ${…} placeholders against local properties and/or system properties and
environment variables. This may be useful in cases where the path a controller is mapped to may need to be customized through
configuration. For more information on placeholders, see the javadocs of the PropertyPlaceholderConfigurer class.
@RequestMapping注解支持在路径中使用占位符,以取得一些本地配置、系统配置、环境变量等。这个特性有时很有用,比如说控
制器的映射路径需要通过配置来定制的场景。如果想了解更多关于占位符的信息,可以参考 PropertyPlaceholderConfigurer这
个类的文档。
Suffix Pattern Matching
后缀模式匹配
[Original] By default Spring MVC performs ".*" suffix pattern matching so that a controller mapped to /person is also implicitly
mapped to /person.*. This makes it easy to request different representations of a resource through the URL path (e.g. /person.pdf,
/person.xml).
Spring MVC默认采用 ".*"的后缀模式匹配来进行路径匹配,因此,一个映射到 /person路径的控制器也会隐式地被映射
到 /person.*。这使得通过URL来请求同一资源文件的不同格式变得更简单(比如 /person.pdf, /person.xml)。
[Original] Suffix pattern matching can be turned off or restricted to a set of path extensions explicitly registered for content negotiation
purposes. This is generally recommended to minimize ambiguity with common request mappings such as /person/{id} where a dot
might not represent a file extension, e.g. /person/joe@email.com vs /person/joe@email.com.json). Furthermore as explained in
the note below suffix pattern matching as well as content negotiation may be used in some circumstances to attempt malicious attacks
and there are good reasons to restrict them meaningfully.
你可以关闭默认的后缀模式匹配,或者显式地将路径后缀限定到一些特定格式上for content negotiation purpose。我们推荐这样做,
这样可以减少映射请求时可以带来的一些二义性,比如请求以下路径 /person/{id}时,路径中的点号后面带的可能不是描述内容
格式,比如 /person/joe@email.com vs /person/joe@email.com.json。而且正如下面马上要提到的,后缀模式通配以及内容
协商有时可能会被黑客用来进行攻击,因此,对后缀通配进行有意义的限定是有好处的。
[Original] See Section 21.16.11, "Path Matching" for suffix pattern matching configuration and also Section 21.16.6, "Content Negotiation"
for content negotiation configuration.
关于后缀模式匹配的配置问题,可以参考第21.16.11小节 "路径匹配";关于内容协商的配置问题,可以参考第21.16.6小节 "内容协
商"的内容。
后缀模式匹配与RFD
[Original] Reflected file download (RFD) attack was first described in a paper by Trustwave in 2014. The attack is similar to XSS in that it
relies on input (e.g. query parameter, URI variable) being reflected in the response. However instead of inserting JavaScript into HTML, an
RFD attack relies on the browser switching to perform a download and treating the response as an executable script if double-clicked
based on the file extension (e.g. .bat, .cmd).
RFD(Reflected file download)攻击最先是2014年在Trustwave的一篇论文中被提出的。它与XSS攻击有些相似,因为这种攻击方式也
依赖于某些特征,即需要你的输入(比如查询参数,URI变量等)等也在输出(response)中以某种形式出现。不同的是,RFD攻击