org.springframework.security.web.firewall
Class DefaultHttpFirewall
java.lang.Object
org.springframework.security.web.firewall.DefaultHttpFirewall
- All Implemented Interfaces:
- HttpFirewall
public class DefaultHttpFirewall
- extends java.lang.Object
- implements HttpFirewall
Default implementation which wraps requests in order to provide consistent values of the servletPath
and
pathInfo
, which do not contain path parameters (as defined in
RFC 2396). Different servlet containers
interpret the servlet spec differently as to how path parameters are treated and it is possible they might be added
in order to bypass particular security constraints. When using this implementation, they will be removed for all
requests as the request passes through the security filter chain. Note that this means that any segments in the
decoded path which contain a semi-colon, will have the part following the semi-colon removed for
request matching. Your application should not contain any valid paths which contain semi-colons.
If any un-normalized paths are found (containing directory-traversal character sequences), the request will be
rejected immediately. Most containers normalize the paths before performing the servlet-mapping, but again this is
not guaranteed by the servlet spec.
Method Summary |
FirewalledRequest |
getFirewalledRequest(javax.servlet.http.HttpServletRequest request)
Provides the request object which will be passed through the filter chain. |
javax.servlet.http.HttpServletResponse |
getFirewalledResponse(javax.servlet.http.HttpServletResponse response)
Provides the response which will be passed through the filter chain. |
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
DefaultHttpFirewall
public DefaultHttpFirewall()
getFirewalledRequest
public FirewalledRequest getFirewalledRequest(javax.servlet.http.HttpServletRequest request)
throws RequestRejectedException
- Description copied from interface:
HttpFirewall
- Provides the request object which will be passed through the filter chain.
- Specified by:
getFirewalledRequest
in interface HttpFirewall
- Throws:
RequestRejectedException
- if the request should be rejected immediately
getFirewalledResponse
public javax.servlet.http.HttpServletResponse getFirewalledResponse(javax.servlet.http.HttpServletResponse response)
- Description copied from interface:
HttpFirewall
- Provides the response which will be passed through the filter chain.
- Specified by:
getFirewalledResponse
in interface HttpFirewall
- Parameters:
response
- the original response
- Returns:
- either the original response or a replacement/wrapper.