public class DefaultHttpFirewall extends Object implements HttpFirewall
servletPath and pathInfo, which do not contain path parameters (as
defined in RFC 2396). Different
servlet containers interpret the servlet spec differently as to how path parameters are
treated and it is possible they might be added in order to bypass particular security
constraints. When using this implementation, they will be removed for all requests as
the request passes through the security filter chain. Note that this means that any
segments in the decoded path which contain a semi-colon, will have the part following
the semi-colon removed for request matching. Your application should not contain any
valid paths which contain semi-colons.
If any un-normalized paths are found (containing directory-traversal character sequences), the request will be rejected immediately. Most containers normalize the paths before performing the servlet-mapping, but again this is not guaranteed by the servlet spec.
| Constructor and Description |
|---|
DefaultHttpFirewall() |
| Modifier and Type | Method and Description |
|---|---|
FirewalledRequest |
getFirewalledRequest(javax.servlet.http.HttpServletRequest request)
Provides the request object which will be passed through the filter chain.
|
javax.servlet.http.HttpServletResponse |
getFirewalledResponse(javax.servlet.http.HttpServletResponse response)
Provides the response which will be passed through the filter chain.
|
public FirewalledRequest getFirewalledRequest(javax.servlet.http.HttpServletRequest request) throws RequestRejectedException
HttpFirewallgetFirewalledRequest in interface HttpFirewallRequestRejectedException - if the request should be rejected immediatelypublic javax.servlet.http.HttpServletResponse getFirewalledResponse(javax.servlet.http.HttpServletResponse response)
HttpFirewallgetFirewalledResponse in interface HttpFirewallresponse - the original response