List of usage examples for org.springframework.security.web FilterChainProxy setFirewall
public void setFirewall(HttpFirewall firewall)
From source file:org.pentaho.platform.plugin.services.security.userrole.SecuritySystemListener.java
/** * https://jira.pentaho.com/browse/BACKLOG-22526 * * StrictHttpFirewall was added and made the default HTTPFirewall for FilterChainProxy. As per its javadoc, it is meant * to block requests that contains one of the following characters in the URL: period, forward slash, backslash, semicolon, percentage * * StrictHttpFirewall was added to address 3 different CVEs: CVE-2016-5007, CVE-2016-9879, CVE-2018-1199 * * However, Pentaho's file/folder endpoint resources are passed as path params. And we do support file/folder names with the * aforementioned characters. In light of this, we are setting a more lenient HttpFirewall for FilterChainProxy * * @link https://github.com/spring-projects/spring-security/blob/4.1.5.RELEASE/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java *///from w w w. j a v a2 s . c o m private void changeFilterChainProxyHttpFirewall() { StrictHttpFirewall notSoStrictHttpFirewall = new StrictHttpFirewall(); notSoStrictHttpFirewall.setAllowSemicolon(true); notSoStrictHttpFirewall.setAllowUrlEncodedPercent(true); notSoStrictHttpFirewall.setAllowUrlEncodedPeriod(true); try { FilterChainProxy filterChainProxy = PentahoSystem.get(FilterChainProxy.class, "filterChainProxy", null); if (filterChainProxy != null) { logger.debug( "Changing FilterChainProxy's HttpFirewall to a more lenient one that allows for the passing " + "of semicolons, periods, and percentages signs in the URL path"); //$NON-NLS-1$ filterChainProxy.setFirewall(notSoStrictHttpFirewall); } } catch (Throwable t) { logger.error(t); } }
From source file:org.springframework.security.config.annotation.web.builders.WebSecurity.java
@Override protected Filter performBuild() throws Exception { Assert.state(!securityFilterChainBuilders.isEmpty(), () -> "At least one SecurityBuilder<? extends SecurityFilterChain> needs to be specified. " + "Typically this done by adding a @Configuration that extends WebSecurityConfigurerAdapter. " + "More advanced users can invoke " + WebSecurity.class.getSimpleName() + ".addSecurityFilterChainBuilder directly"); int chainSize = ignoredRequests.size() + securityFilterChainBuilders.size(); List<SecurityFilterChain> securityFilterChains = new ArrayList<>(chainSize); for (RequestMatcher ignoredRequest : ignoredRequests) { securityFilterChains.add(new DefaultSecurityFilterChain(ignoredRequest)); }//from w w w . ja v a2s .co m for (SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder : securityFilterChainBuilders) { securityFilterChains.add(securityFilterChainBuilder.build()); } FilterChainProxy filterChainProxy = new FilterChainProxy(securityFilterChains); if (httpFirewall != null) { filterChainProxy.setFirewall(httpFirewall); } filterChainProxy.afterPropertiesSet(); Filter result = filterChainProxy; if (debugEnabled) { logger.warn("\n\n" + "********************************************************************\n" + "********** Security debugging is enabled. *************\n" + "********** This may include sensitive information. *************\n" + "********** Do not use in a production system! *************\n" + "********************************************************************\n\n"); result = new DebugFilter(filterChainProxy); } postBuildAction.run(); return result; }