public class DefaultHttpFirewall extends Object implements HttpFirewall
User's should consider using StrictHttpFirewall
because rather than trying to
sanitize a malicious URL it rejects the malicious URL providing better security
guarantees.
Default implementation which wraps requests in order to provide consistent
values of the servletPath
and pathInfo
, which do not contain
path parameters (as defined in
RFC 2396). Different
servlet containers interpret the servlet spec differently as to how path
parameters are treated and it is possible they might be added in order to
bypass particular security constraints. When using this implementation, they
will be removed for all requests as the request passes through the security
filter chain. Note that this means that any segments in the decoded path
which contain a semi-colon, will have the part following the semi-colon
removed for request matching. Your application should not contain any valid
paths which contain semi-colons.
If any un-normalized paths are found (containing directory-traversal character sequences), the request will be rejected immediately. Most containers normalize the paths before performing the servlet-mapping, but again this is not guaranteed by the servlet spec.
StrictHttpFirewall
Constructor and Description |
---|
DefaultHttpFirewall() |
Modifier and Type | Method and Description |
---|---|
FirewalledRequest |
getFirewalledRequest(javax.servlet.http.HttpServletRequest request)
Provides the request object which will be passed through the filter chain.
|
javax.servlet.http.HttpServletResponse |
getFirewalledResponse(javax.servlet.http.HttpServletResponse response)
Provides the response which will be passed through the filter chain.
|
void |
setAllowUrlEncodedSlash(boolean allowUrlEncodedSlash)
Sets if the application should allow a URL encoded slash character.
|
public FirewalledRequest getFirewalledRequest(javax.servlet.http.HttpServletRequest request) throws RequestRejectedException
HttpFirewall
getFirewalledRequest
in interface HttpFirewall
RequestRejectedException
- if the request should be rejected immediatelypublic javax.servlet.http.HttpServletResponse getFirewalledResponse(javax.servlet.http.HttpServletResponse response)
HttpFirewall
getFirewalledResponse
in interface HttpFirewall
response
- the original responsepublic void setAllowUrlEncodedSlash(boolean allowUrlEncodedSlash)
Sets if the application should allow a URL encoded slash character.
If true (default is false), a URL encoded slash will be allowed in the URL. Allowing encoded slashes can cause security vulnerabilities in some situations depending on how the container constructs the HttpServletRequest.
allowUrlEncodedSlash
- the new value (default false)