Example usage for org.springframework.security.web FilterChainProxy setFirewall

List of usage examples for org.springframework.security.web FilterChainProxy setFirewall

  1. HOME
  2. Java
  3. org.springframework
  4. org.springframework.security.web.*
  5. FilterChainProxy
  6. setFirewall

Introduction

In this page you can find the example usage for org.springframework.security.web FilterChainProxy setFirewall.

Prototype

public void setFirewall(HttpFirewall firewall)

Source Link

Document

Sets the "firewall" implementation which will be used to validate and wrap (or potentially reject) the incoming requests.

Usage

From source file:org.pentaho.platform.plugin.services.security.userrole.SecuritySystemListener.java

/**
 * https://jira.pentaho.com/browse/BACKLOG-22526
 *
 * StrictHttpFirewall was added and made the default HTTPFirewall for FilterChainProxy. As per its javadoc, it is meant
 * to block requests that contains one of the following characters in the URL: period, forward slash, backslash, semicolon, percentage
 *
 * StrictHttpFirewall was added to address 3 different CVEs: CVE-2016-5007, CVE-2016-9879, CVE-2018-1199
 *
 * However, Pentaho's file/folder endpoint resources are passed as path params. And we do support file/folder names with the
 * aforementioned characters. In light of this, we are setting a more lenient HttpFirewall for FilterChainProxy
 *
 * @link https://github.com/spring-projects/spring-security/blob/4.1.5.RELEASE/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java
 *///from w w w.  j  a  v  a2 s  . c o m
private void changeFilterChainProxyHttpFirewall() {

    StrictHttpFirewall notSoStrictHttpFirewall = new StrictHttpFirewall();

    notSoStrictHttpFirewall.setAllowSemicolon(true);
    notSoStrictHttpFirewall.setAllowUrlEncodedPercent(true);
    notSoStrictHttpFirewall.setAllowUrlEncodedPeriod(true);

    try {

        FilterChainProxy filterChainProxy = PentahoSystem.get(FilterChainProxy.class, "filterChainProxy", null);

        if (filterChainProxy != null) {
            logger.debug(
                    "Changing FilterChainProxy's HttpFirewall to a more lenient one that allows for the passing "
                            + "of semicolons, periods, and percentages signs in the URL path"); //$NON-NLS-1$

            filterChainProxy.setFirewall(notSoStrictHttpFirewall);
        }

    } catch (Throwable t) {
        logger.error(t);
    }
}

From source file:org.springframework.security.config.annotation.web.builders.WebSecurity.java

@Override
protected Filter performBuild() throws Exception {
    Assert.state(!securityFilterChainBuilders.isEmpty(),
            () -> "At least one SecurityBuilder<? extends SecurityFilterChain> needs to be specified. "
                    + "Typically this done by adding a @Configuration that extends WebSecurityConfigurerAdapter. "
                    + "More advanced users can invoke " + WebSecurity.class.getSimpleName()
                    + ".addSecurityFilterChainBuilder directly");
    int chainSize = ignoredRequests.size() + securityFilterChainBuilders.size();
    List<SecurityFilterChain> securityFilterChains = new ArrayList<>(chainSize);
    for (RequestMatcher ignoredRequest : ignoredRequests) {
        securityFilterChains.add(new DefaultSecurityFilterChain(ignoredRequest));
    }//from   w  w w  .  ja v  a2s .co m
    for (SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder : securityFilterChainBuilders) {
        securityFilterChains.add(securityFilterChainBuilder.build());
    }
    FilterChainProxy filterChainProxy = new FilterChainProxy(securityFilterChains);
    if (httpFirewall != null) {
        filterChainProxy.setFirewall(httpFirewall);
    }
    filterChainProxy.afterPropertiesSet();

    Filter result = filterChainProxy;
    if (debugEnabled) {
        logger.warn("\n\n" + "********************************************************************\n"
                + "**********        Security debugging is enabled.       *************\n"
                + "**********    This may include sensitive information.  *************\n"
                + "**********      Do not use in a production system!     *************\n"
                + "********************************************************************\n\n");
        result = new DebugFilter(filterChainProxy);
    }
    postBuildAction.run();
    return result;
}