StrictHttpFirewall (spring-security-docs-manual 5.5.0-M2 API)

java.lang.Object
- org.springframework.security.web.firewall.StrictHttpFirewall

All Implemented Interfaces:

HttpFirewall
```
public class StrictHttpFirewall
extends java.lang.Object
implements HttpFirewall
```
A strict implementation of HttpFirewall that rejects any suspicious requests with a RequestRejectedException.

The following rules are applied to the firewall:
- Rejects HTTP methods that are not allowed. This specified to block HTTP Verb tampering and XST attacks. See setAllowedHttpMethods(Collection)
- Rejects URLs that are not normalized to avoid bypassing security constraints. There is no way to disable this as it is considered extremely risky to disable this constraint. A few options to allow this behavior is to normalize the request prior to the firewall or using DefaultHttpFirewall instead. Please keep in mind that normalizing the request is fragile and why requests are rejected rather than normalized.
- Rejects URLs that contain characters that are not printable ASCII characters. There is no way to disable this as it is considered extremely risky to disable this constraint.
- Rejects URLs that contain semicolons. See setAllowSemicolon(boolean)
- Rejects URLs that contain a URL encoded slash. See setAllowUrlEncodedSlash(boolean)
- Rejects URLs that contain a backslash. See setAllowBackSlash(boolean)
- Rejects URLs that contain a null character. See setAllowNull(boolean)
- Rejects URLs that contain a URL encoded percent. See setAllowUrlEncodedPercent(boolean)
- Rejects hosts that are not allowed. See setAllowedHostnames(Predicate)
- Reject headers names that are not allowed. See setAllowedHeaderNames(Predicate)
- Reject headers values that are not allowed. See setAllowedHeaderValues(Predicate)
- Reject parameter names that are not allowed. See setAllowedParameterNames(Predicate)
- Reject parameter values that are not allowed. See setAllowedParameterValues(Predicate)
Since:

4.2.4

See Also:

DefaultHttpFirewall

Constructor Summary

Constructors
Constructor and Description

StrictHttpFirewall()

Constructors
Constructor and Description
`StrictHttpFirewall()`

Method Summary

All Methods Instance Methods Concrete Methods Deprecated Methods
Modifier and Type	Method and Description
`java.util.Set<java.lang.String>`	`getDecodedUrlBlacklist()` Provides the existing decoded url blocklist which can add/remove entries from
`java.util.Set<java.lang.String>`	`getDecodedUrlBlocklist()` Provides the existing decoded url blocklist which can add/remove entries from
`java.util.Set<java.lang.String>`	`getEncodedUrlBlacklist()` Deprecated. Use `getEncodedUrlBlocklist()` instead
`java.util.Set<java.lang.String>`	`getEncodedUrlBlocklist()` Provides the existing encoded url blocklist which can add/remove entries from
`FirewalledRequest`	`getFirewalledRequest(javax.servlet.http.HttpServletRequest request)` Provides the request object which will be passed through the filter chain.
`javax.servlet.http.HttpServletResponse`	`getFirewalledResponse(javax.servlet.http.HttpServletResponse response)` Provides the response which will be passed through the filter chain.
`void`	`setAllowBackSlash(boolean allowBackSlash)` Determines if a backslash "\" or a URL encoded backslash "%5C" should be allowed in the path or not.
`void`	`setAllowedHeaderNames(java.util.function.Predicate<java.lang.String> allowedHeaderNames)` Determines which header names should be allowed.
`void`	`setAllowedHeaderValues(java.util.function.Predicate<java.lang.String> allowedHeaderValues)` Determines which header values should be allowed.
`void`	`setAllowedHostnames(java.util.function.Predicate<java.lang.String> allowedHostnames)` Determines which hostnames should be allowed.
`void`	`setAllowedHttpMethods(java.util.Collection<java.lang.String> allowedHttpMethods)` Determines which HTTP methods should be allowed.
`void`	`setAllowedParameterNames(java.util.function.Predicate<java.lang.String> allowedParameterNames)` Determines which parameter names should be allowed.
`void`	`setAllowedParameterValues(java.util.function.Predicate<java.lang.String> allowedParameterValues)` Determines which parameter values should be allowed.
`void`	`setAllowNull(boolean allowNull)` Determines if a null "\0" or a URL encoded nul "%00" should be allowed in the path or not.
`void`	`setAllowSemicolon(boolean allowSemicolon)` Determines if semicolon is allowed in the URL (i.e.
`void`	`setAllowUrlEncodedDoubleSlash(boolean allowUrlEncodedDoubleSlash)` Determines if double slash "//" that is URL encoded "%2F%2F" should be allowed in the path or not.
`void`	`setAllowUrlEncodedPercent(boolean allowUrlEncodedPercent)` Determines if a percent "%" that is URL encoded "%25" should be allowed in the path or not.
`void`	`setAllowUrlEncodedPeriod(boolean allowUrlEncodedPeriod)` Determines if a period "." that is URL encoded "%2E" should be allowed in the path or not.
`void`	`setAllowUrlEncodedSlash(boolean allowUrlEncodedSlash)` Determines if a slash "/" that is URL encoded "%2F" should be allowed in the path or not.
`void`	`setUnsafeAllowAnyHttpMethod(boolean unsafeAllowAnyHttpMethod)` Sets if any HTTP method is allowed.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Constructor Detail
  - StrictHttpFirewall
```
public StrictHttpFirewall()
```
- Method Detail
  - setUnsafeAllowAnyHttpMethod
```
public void setUnsafeAllowAnyHttpMethod(boolean unsafeAllowAnyHttpMethod)
```
    Sets if any HTTP method is allowed. If this set to true, then no validation on the HTTP method will be performed. This can open the application up to HTTP Verb tampering and XST attacks
    
    Parameters:
    
    unsafeAllowAnyHttpMethod - if true, disables HTTP method validation, else resets back to the defaults. Default is false.
    
    Since:
    
    5.1
    
    See Also:
    
    setAllowedHttpMethods(Collection)
  - setAllowedHttpMethods
```
public void setAllowedHttpMethods(java.util.Collection<java.lang.String> allowedHttpMethods)
```
    Determines which HTTP methods should be allowed. The default is to allow "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", and "PUT".
    
    Parameters:
    
    allowedHttpMethods - the case-sensitive collection of HTTP methods that are allowed.
    
    Since:
    
    5.1
    
    See Also:
    
    setUnsafeAllowAnyHttpMethod(boolean)
  - setAllowSemicolon
```
public void setAllowSemicolon(boolean allowSemicolon)
```
    Determines if semicolon is allowed in the URL (i.e. matrix variables). The default is to disable this behavior because it is a common way of attempting to perform Reflected File Download Attacks. It is also the source of many exploits which bypass URL based security.
    
    For example, the following CVEs are a subset of the issues related to ambiguities in the Servlet Specification on how to treat semicolons that led to CVEs:
    If you are wanting to allow semicolons, please reconsider as it is a very common source of security bypasses. A few common reasons users want semicolons and alternatives are listed below:
    - Including the JSESSIONID in the path - You should not include session id (or any sensitive information) in a URL as it can lead to leaking. Instead use Cookies.
    - Matrix Variables - Users wanting to leverage Matrix Variables should consider using HTTP parameters instead.
    Parameters:
    
    allowSemicolon - should semicolons be allowed in the URL. Default is false
  - setAllowUrlEncodedSlash
```
public void setAllowUrlEncodedSlash(boolean allowUrlEncodedSlash)
```
    Determines if a slash "/" that is URL encoded "%2F" should be allowed in the path or not. The default is to not allow this behavior because it is a common way to bypass URL based security.
    
    For example, due to ambiguities in the servlet specification, the value is not parsed consistently which results in different values in HttpServletRequest path related values which allow bypassing certain security constraints.
    
    Parameters:
    
    allowUrlEncodedSlash - should a slash "/" that is URL encoded "%2F" be allowed in the path or not. Default is false.
  - setAllowUrlEncodedDoubleSlash
```
public void setAllowUrlEncodedDoubleSlash(boolean allowUrlEncodedDoubleSlash)
```
    Determines if double slash "//" that is URL encoded "%2F%2F" should be allowed in the path or not. The default is to not allow.
    
    Parameters:
    
    allowUrlEncodedDoubleSlash - should a slash "//" that is URL encoded "%2F%2F" be allowed in the path or not. Default is false.
  - setAllowUrlEncodedPeriod
```
public void setAllowUrlEncodedPeriod(boolean allowUrlEncodedPeriod)
```
    Determines if a period "." that is URL encoded "%2E" should be allowed in the path or not. The default is to not allow this behavior because it is a frequent source of security exploits.
    
    For example, due to ambiguities in the servlet specification a URL encoded period might lead to bypassing security constraints through a directory traversal attack. This is because the path is not parsed consistently which results in different values in HttpServletRequest path related values which allow bypassing certain security constraints.
    
    Parameters:
    
    allowUrlEncodedPeriod - should a period "." that is URL encoded "%2E" be allowed in the path or not. Default is false.
  - setAllowBackSlash
```
public void setAllowBackSlash(boolean allowBackSlash)
```
    Determines if a backslash "\" or a URL encoded backslash "%5C" should be allowed in the path or not. The default is not to allow this behavior because it is a frequent source of security exploits.
    
    For example, due to ambiguities in the servlet specification a URL encoded period might lead to bypassing security constraints through a directory traversal attack. This is because the path is not parsed consistently which results in different values in HttpServletRequest path related values which allow bypassing certain security constraints.
    
    Parameters:
    
    allowBackSlash - a backslash "\" or a URL encoded backslash "%5C" be allowed in the path or not. Default is false
  - setAllowNull
```
public void setAllowNull(boolean allowNull)
```
    Determines if a null "\0" or a URL encoded nul "%00" should be allowed in the path or not. The default is not to allow this behavior because it is a frequent source of security exploits.
    
    Parameters:
    
    allowNull - a null "\0" or a URL encoded null "%00" be allowed in the path or not. Default is false
    
    Since:
    
    5.4
  - setAllowUrlEncodedPercent
```
public void setAllowUrlEncodedPercent(boolean allowUrlEncodedPercent)
```
    Determines if a percent "%" that is URL encoded "%25" should be allowed in the path or not. The default is not to allow this behavior because it is a frequent source of security exploits.
    
    For example, this can lead to exploits that involve double URL encoding that lead to bypassing security constraints.
    
    Parameters:
    
    allowUrlEncodedPercent - if a percent "%" that is URL encoded "%25" should be allowed in the path or not. Default is false
  - setAllowedHeaderNames
```
public void setAllowedHeaderNames(java.util.function.Predicate<java.lang.String> allowedHeaderNames)
```
    Determines which header names should be allowed. The default is to reject header names that contain ISO control characters and characters that are not defined.
    
    Parameters:
    
    allowedHeaderNames - the predicate for testing header names
    
    Since:
    
    5.4
    
    See Also:
    
    Character.isISOControl(int), Character.isDefined(int)
  - setAllowedHeaderValues
```
public void setAllowedHeaderValues(java.util.function.Predicate<java.lang.String> allowedHeaderValues)
```
    Determines which header values should be allowed. The default is to reject header values that contain ISO control characters and characters that are not defined.
    
    Parameters:
    
    allowedHeaderValues - the predicate for testing hostnames
    
    Since:
    
    5.4
    
    See Also:
    
    Character.isISOControl(int), Character.isDefined(int)
  - setAllowedParameterNames
```
public void setAllowedParameterNames(java.util.function.Predicate<java.lang.String> allowedParameterNames)
```
    Determines which parameter names should be allowed. The default is to reject header names that contain ISO control characters and characters that are not defined.
    
    Parameters:
    
    allowedParameterNames - the predicate for testing parameter names
    
    Since:
    
    5.4
    
    See Also:
    
    Character.isISOControl(int), Character.isDefined(int)
  - setAllowedParameterValues
```
public void setAllowedParameterValues(java.util.function.Predicate<java.lang.String> allowedParameterValues)
```
    Determines which parameter values should be allowed. The default is to allow any parameter value.
    
    Parameters:
    
    allowedParameterValues - the predicate for testing parameter values
    
    Since:
    
    5.4
  - setAllowedHostnames
```
public void setAllowedHostnames(java.util.function.Predicate<java.lang.String> allowedHostnames)
```
    Determines which hostnames should be allowed. The default is to allow any hostname.
    
    Parameters:
    
    allowedHostnames - the predicate for testing hostnames
    
    Since:
    
    5.2
  - getFirewalledRequest
```
public FirewalledRequest getFirewalledRequest(javax.servlet.http.HttpServletRequest request)
                                       throws RequestRejectedException
```
    Description copied from interface: HttpFirewall
    
    Provides the request object which will be passed through the filter chain.
    
    Specified by:
    
    getFirewalledRequest in interface HttpFirewall
    
    Throws:
    
    RequestRejectedException - if the request should be rejected immediately
  - getFirewalledResponse
```
public javax.servlet.http.HttpServletResponse getFirewalledResponse(javax.servlet.http.HttpServletResponse response)
```
    Description copied from interface: HttpFirewall
    
    Provides the response which will be passed through the filter chain.
    
    Specified by:
    
    getFirewalledResponse in interface HttpFirewall
    
    Parameters:
    
    response - the original response
    
    Returns:
    
    either the original response or a replacement/wrapper.
  - getEncodedUrlBlocklist
```
public java.util.Set<java.lang.String> getEncodedUrlBlocklist()
```
    Provides the existing encoded url blocklist which can add/remove entries from
    
    Returns:
    
    the existing encoded url blocklist, never null
  - getDecodedUrlBlocklist
```
public java.util.Set<java.lang.String> getDecodedUrlBlocklist()
```
    Provides the existing decoded url blocklist which can add/remove entries from
    
    Returns:
    
    the existing decoded url blocklist, never null
  - getEncodedUrlBlacklist
```
@Deprecated
public java.util.Set<java.lang.String> getEncodedUrlBlacklist()
```
    Deprecated. Use getEncodedUrlBlocklist() instead
    
    Provides the existing encoded url blocklist which can add/remove entries from
    
    Returns:
    
    the existing encoded url blocklist, never null
  - getDecodedUrlBlacklist
```
public java.util.Set<java.lang.String> getDecodedUrlBlacklist()
```
    Provides the existing decoded url blocklist which can add/remove entries from
    
    Returns:
    
    the existing decoded url blocklist, never null

Class StrictHttpFirewall

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Constructor Detail

StrictHttpFirewall

Method Detail

setUnsafeAllowAnyHttpMethod

setAllowedHttpMethods

setAllowSemicolon

setAllowUrlEncodedSlash

setAllowUrlEncodedDoubleSlash

setAllowUrlEncodedPeriod

setAllowBackSlash

setAllowNull

setAllowUrlEncodedPercent

setAllowedHeaderNames

setAllowedHeaderValues

setAllowedParameterNames

setAllowedParameterValues

setAllowedHostnames

getFirewalledRequest

getFirewalledResponse

getEncodedUrlBlocklist

getDecodedUrlBlocklist

getEncodedUrlBlacklist

getDecodedUrlBlacklist