diff --git a/components/org.wso2.carbon.identity.context.rewrite.valve/src/main/java/org/wso2/carbon/identity/context/rewrite/valve/TenantContextRewriteValve.java b/components/org.wso2.carbon.identity.context.rewrite.valve/src/main/java/org/wso2/carbon/identity/context/rewrite/valve/TenantContextRewriteValve.java
index 4369f326..d4b4fbb9 100644
--- a/components/org.wso2.carbon.identity.context.rewrite.valve/src/main/java/org/wso2/carbon/identity/context/rewrite/valve/TenantContextRewriteValve.java
+++ b/components/org.wso2.carbon.identity.context.rewrite.valve/src/main/java/org/wso2/carbon/identity/context/rewrite/valve/TenantContextRewriteValve.java
@@ -139,6 +139,19 @@ public void invoke(Request request, Response response) throws IOException, Servl
if (tenantDomain != null &&
!tenantManager.isTenantActive(IdentityTenantUtil.getTenantId(tenantDomain))) {
handleInvalidTenantDomainErrorResponse(response, HttpServletResponse.SC_NOT_FOUND, tenantDomain);
+ } else if (IdentityTenantUtil.isTenantQualifiedUrlsEnabled()) {
+ boolean isSuperTenantRequiredInUrl = IdentityTenantUtil.isSuperTenantRequiredInUrl();
+ boolean isSuperTenantAppendedInUrl = requestURI.contains("t/" +
+ MultitenantConstants.SUPER_TENANT_DOMAIN_NAME);
+ if ((!isSuperTenantRequiredInUrl && isSuperTenantAppendedInUrl) ||
+ (isSuperTenantRequiredInUrl && !isSuperTenantAppendedInUrl)) {
+ if (log.isDebugEnabled()) {
+ log.debug("/t/carbon.super should be append to the request URL only if the Tenant qualified URL " +
+ "feature is enabled and AppendSuperTenantInUrl configuration is enabled. Hence " +
+ "restricting the access to super tenant.");
+ }
+ handleRestrictedTenantDomainErrorResponse(request, response);
+ }
} else {
IdentityUtil.threadLocalProperties.get().put(TENANT_NAME_FROM_CONTEXT, tenantDomain);
diff --git a/pom.xml b/pom.xml
index 8e5649d5..b2a8f082 100644
--- a/pom.xml
+++ b/pom.xml
@@ -345,7 +345,7 @@
${project.version}
- 5.25.358
+ 5.25.380
[5.17.8, 7.0.0)
6.11.128