Example usage for org.springframework.security.web.firewall StrictHttpFirewall setAllowSemicolon

List of usage examples for org.springframework.security.web.firewall StrictHttpFirewall setAllowSemicolon

  1. HOME
  2. Java
  3. org.springframework
  4. org.springframework.security.web.firewall.*
  5. StrictHttpFirewall
  6. setAllowSemicolon

Introduction

In this page you can find the example usage for org.springframework.security.web.firewall StrictHttpFirewall setAllowSemicolon.

Prototype

public void setAllowSemicolon(boolean allowSemicolon)

Source Link

Document

Determines if semicolon is allowed in the URL (i.e.

Usage

From source file:org.devgateway.toolkit.web.spring.WebSecurityConfig.java

@Bean
public HttpFirewall allowUrlEncodedSlashHttpFirewall() {
    StrictHttpFirewall firewall = new StrictHttpFirewall();
    firewall.setAllowUrlEncodedSlash(true);
    firewall.setAllowSemicolon(true);
    return firewall;
}

From source file:org.pentaho.platform.plugin.services.security.userrole.SecuritySystemListener.java

/**
 * https://jira.pentaho.com/browse/BACKLOG-22526
 *
 * StrictHttpFirewall was added and made the default HTTPFirewall for FilterChainProxy. As per its javadoc, it is meant
 * to block requests that contains one of the following characters in the URL: period, forward slash, backslash, semicolon, percentage
 *
 * StrictHttpFirewall was added to address 3 different CVEs: CVE-2016-5007, CVE-2016-9879, CVE-2018-1199
 *
 * However, Pentaho's file/folder endpoint resources are passed as path params. And we do support file/folder names with the
 * aforementioned characters. In light of this, we are setting a more lenient HttpFirewall for FilterChainProxy
 *
 * @link https://github.com/spring-projects/spring-security/blob/4.1.5.RELEASE/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java
 *//* w  ww .jav  a  2s .c  o  m*/
private void changeFilterChainProxyHttpFirewall() {

    StrictHttpFirewall notSoStrictHttpFirewall = new StrictHttpFirewall();

    notSoStrictHttpFirewall.setAllowSemicolon(true);
    notSoStrictHttpFirewall.setAllowUrlEncodedPercent(true);
    notSoStrictHttpFirewall.setAllowUrlEncodedPeriod(true);

    try {

        FilterChainProxy filterChainProxy = PentahoSystem.get(FilterChainProxy.class, "filterChainProxy", null);

        if (filterChainProxy != null) {
            logger.debug(
                    "Changing FilterChainProxy's HttpFirewall to a more lenient one that allows for the passing "
                            + "of semicolons, periods, and percentages signs in the URL path"); //$NON-NLS-1$

            filterChainProxy.setFirewall(notSoStrictHttpFirewall);
        }

    } catch (Throwable t) {
        logger.error(t);
    }
}