Example usage for org.springframework.security.web.firewall StrictHttpFirewall StrictHttpFirewall

List of usage examples for org.springframework.security.web.firewall StrictHttpFirewall StrictHttpFirewall

  1. HOME
  2. Java
  3. org.springframework
  4. org.springframework.security.web.firewall.*
  5. StrictHttpFirewall
  6. StrictHttpFirewall

Introduction

In this page you can find the example usage for org.springframework.security.web.firewall StrictHttpFirewall StrictHttpFirewall.

Prototype

public StrictHttpFirewall()

Source Link

Usage

From source file:org.devgateway.toolkit.web.spring.WebSecurityConfig.java

@Bean
public HttpFirewall allowUrlEncodedSlashHttpFirewall() {
    StrictHttpFirewall firewall = new StrictHttpFirewall();
    firewall.setAllowUrlEncodedSlash(true);
    firewall.setAllowSemicolon(true);/*from w ww  .  j av a  2  s .com*/
    return firewall;
}

From source file:org.pentaho.platform.plugin.services.security.userrole.SecuritySystemListener.java

/**
 * https://jira.pentaho.com/browse/BACKLOG-22526
 *
 * StrictHttpFirewall was added and made the default HTTPFirewall for FilterChainProxy. As per its javadoc, it is meant
 * to block requests that contains one of the following characters in the URL: period, forward slash, backslash, semicolon, percentage
 *
 * StrictHttpFirewall was added to address 3 different CVEs: CVE-2016-5007, CVE-2016-9879, CVE-2018-1199
 *
 * However, Pentaho's file/folder endpoint resources are passed as path params. And we do support file/folder names with the
 * aforementioned characters. In light of this, we are setting a more lenient HttpFirewall for FilterChainProxy
 *
 * @link https://github.com/spring-projects/spring-security/blob/4.1.5.RELEASE/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java
 *//*from   w  w  w. j  a v  a 2s . c o  m*/
private void changeFilterChainProxyHttpFirewall() {

    StrictHttpFirewall notSoStrictHttpFirewall = new StrictHttpFirewall();

    notSoStrictHttpFirewall.setAllowSemicolon(true);
    notSoStrictHttpFirewall.setAllowUrlEncodedPercent(true);
    notSoStrictHttpFirewall.setAllowUrlEncodedPeriod(true);

    try {

        FilterChainProxy filterChainProxy = PentahoSystem.get(FilterChainProxy.class, "filterChainProxy", null);

        if (filterChainProxy != null) {
            logger.debug(
                    "Changing FilterChainProxy's HttpFirewall to a more lenient one that allows for the passing "
                            + "of semicolons, periods, and percentages signs in the URL path"); //$NON-NLS-1$

            filterChainProxy.setFirewall(notSoStrictHttpFirewall);
        }

    } catch (Throwable t) {
        logger.error(t);
    }
}