public class StrictHttpFirewall extends java.lang.Object implements HttpFirewall
 A strict implementation of HttpFirewall that rejects any suspicious requests
 with a RequestRejectedException.
 
The following rules are applied to the firewall:
setAllowedHttpMethods(Collection)
 DefaultHttpFirewall instead. Please keep in mind that normalizing the
 request is fragile and why requests are rejected rather than normalized.
 setAllowSemicolon(boolean)
 setAllowUrlEncodedSlash(boolean)
 setAllowBackSlash(boolean)
 setAllowUrlEncodedPercent(boolean)
 setAllowedHostnames(Predicate)
 DefaultHttpFirewall| Constructor and Description | 
|---|
| StrictHttpFirewall() | 
| Modifier and Type | Method and Description | 
|---|---|
| java.util.Set<java.lang.String> | getDecodedUrlBlacklist()Provides the existing decoded url blacklist which can add/remove entries from | 
| java.util.Set<java.lang.String> | getEncodedUrlBlacklist()Provides the existing encoded url blacklist which can add/remove entries from | 
| FirewalledRequest | getFirewalledRequest(javax.servlet.http.HttpServletRequest request)Provides the request object which will be passed through the filter chain. | 
| javax.servlet.http.HttpServletResponse | getFirewalledResponse(javax.servlet.http.HttpServletResponse response)Provides the response which will be passed through the filter chain. | 
| void | setAllowBackSlash(boolean allowBackSlash)
 Determines if a backslash "\" or a URL encoded backslash "%5C" should be allowed in
 the path or not. | 
| void | setAllowedHostnames(java.util.function.Predicate<java.lang.String> allowedHostnames)
 Determines which hostnames should be allowed. | 
| void | setAllowedHttpMethods(java.util.Collection<java.lang.String> allowedHttpMethods)
 Determines which HTTP methods should be allowed. | 
| void | setAllowSemicolon(boolean allowSemicolon)
 Determines if semicolon is allowed in the URL (i.e. | 
| void | setAllowUrlEncodedDoubleSlash(boolean allowUrlEncodedDoubleSlash)
 Determines if double slash "//" that is URL encoded "%2F%2F" should be allowed in the path or
 not. | 
| void | setAllowUrlEncodedPercent(boolean allowUrlEncodedPercent)
 Determines if a percent "%" that is URL encoded "%25" should be allowed in the path
 or not. | 
| void | setAllowUrlEncodedPeriod(boolean allowUrlEncodedPeriod)
 Determines if a period "." that is URL encoded "%2E" should be allowed in the path
 or not. | 
| void | setAllowUrlEncodedSlash(boolean allowUrlEncodedSlash)
 Determines if a slash "/" that is URL encoded "%2F" should be allowed in the path
 or not. | 
| void | setUnsafeAllowAnyHttpMethod(boolean unsafeAllowAnyHttpMethod)Sets if any HTTP method is allowed. | 
public void setUnsafeAllowAnyHttpMethod(boolean unsafeAllowAnyHttpMethod)
unsafeAllowAnyHttpMethod - if true, disables HTTP method validation, else resets back to the defaults. Default is false.setAllowedHttpMethods(Collection)public void setAllowedHttpMethods(java.util.Collection<java.lang.String> allowedHttpMethods)
Determines which HTTP methods should be allowed. The default is to allow "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", and "PUT".
allowedHttpMethods - the case-sensitive collection of HTTP methods that are allowed.setUnsafeAllowAnyHttpMethod(boolean)public void setAllowSemicolon(boolean allowSemicolon)
Determines if semicolon is allowed in the URL (i.e. matrix variables). The default is to disable this behavior because it is a common way of attempting to perform Reflected File Download Attacks. It is also the source of many exploits which bypass URL based security.
For example, the following CVEs are a subset of the issues related to ambiguities in the Servlet Specification on how to treat semicolons that led to CVEs:
If you are wanting to allow semicolons, please reconsider as it is a very common source of security bypasses. A few common reasons users want semicolons and alternatives are listed below:
allowSemicolon - should semicolons be allowed in the URL. Default is falsepublic void setAllowUrlEncodedSlash(boolean allowUrlEncodedSlash)
Determines if a slash "/" that is URL encoded "%2F" should be allowed in the path or not. The default is to not allow this behavior because it is a common way to bypass URL based security.
 For example, due to ambiguities in the servlet specification, the value is not
 parsed consistently which results in different values in HttpServletRequest
 path related values which allow bypassing certain security constraints.
 
allowUrlEncodedSlash - should a slash "/" that is URL encoded "%2F" be allowed
 in the path or not. Default is false.public void setAllowUrlEncodedDoubleSlash(boolean allowUrlEncodedDoubleSlash)
Determines if double slash "//" that is URL encoded "%2F%2F" should be allowed in the path or not. The default is to not allow.
allowUrlEncodedDoubleSlash - should a slash "//" that is URL encoded "%2F%2F" be allowed
        in the path or not. Default is false.public void setAllowUrlEncodedPeriod(boolean allowUrlEncodedPeriod)
Determines if a period "." that is URL encoded "%2E" should be allowed in the path or not. The default is to not allow this behavior because it is a frequent source of security exploits.
 For example, due to ambiguities in the servlet specification a URL encoded period
 might lead to bypassing security constraints through a directory traversal attack.
 This is because the path is not parsed consistently which results  in different
 values in HttpServletRequest path related values which allow bypassing
 certain security constraints.
 
allowUrlEncodedPeriod - should a period "." that is URL encoded "%2E" be
 allowed in the path or not. Default is false.public void setAllowBackSlash(boolean allowBackSlash)
Determines if a backslash "\" or a URL encoded backslash "%5C" should be allowed in the path or not. The default is not to allow this behavior because it is a frequent source of security exploits.
 For example, due to ambiguities in the servlet specification a URL encoded period
 might lead to bypassing security constraints through a directory traversal attack.
 This is because the path is not parsed consistently which results  in different
 values in HttpServletRequest path related values which allow bypassing
 certain security constraints.
 
allowBackSlash - a backslash "\" or a URL encoded backslash "%5C" be allowed
 in the path or not. Default is falsepublic void setAllowUrlEncodedPercent(boolean allowUrlEncodedPercent)
Determines if a percent "%" that is URL encoded "%25" should be allowed in the path or not. The default is not to allow this behavior because it is a frequent source of security exploits.
For example, this can lead to exploits that involve double URL encoding that lead to bypassing security constraints.
allowUrlEncodedPercent - if a percent "%" that is URL encoded "%25" should be
 allowed in the path or not. Default is falsepublic void setAllowedHostnames(java.util.function.Predicate<java.lang.String> allowedHostnames)
Determines which hostnames should be allowed. The default is to allow any hostname.
allowedHostnames - the predicate for testing hostnamespublic FirewalledRequest getFirewalledRequest(javax.servlet.http.HttpServletRequest request) throws RequestRejectedException
HttpFirewallgetFirewalledRequest in interface HttpFirewallRequestRejectedException - if the request should be rejected immediatelypublic javax.servlet.http.HttpServletResponse getFirewalledResponse(javax.servlet.http.HttpServletResponse response)
HttpFirewallgetFirewalledResponse in interface HttpFirewallresponse - the original responsepublic java.util.Set<java.lang.String> getEncodedUrlBlacklist()
public java.util.Set<java.lang.String> getDecodedUrlBlacklist()