Package org.springframework.security.web.firewall

Class StrictHttpFirewall

    • Method Summary

      All Methods Instance Methods Concrete Methods Deprecated Methods 
      Modifier and Type Method Description
      java.util.Set<java.lang.String> getDecodedUrlBlacklist()
      Provides the existing decoded url blocklist which can add/remove entries from
      java.util.Set<java.lang.String> getDecodedUrlBlocklist()
      Provides the existing decoded url blocklist which can add/remove entries from
      java.util.Set<java.lang.String> getEncodedUrlBlacklist()
      Deprecated.
      Use getEncodedUrlBlocklist() instead
      java.util.Set<java.lang.String> getEncodedUrlBlocklist()
      Provides the existing encoded url blocklist which can add/remove entries from
      FirewalledRequest getFirewalledRequest​(javax.servlet.http.HttpServletRequest request)
      Provides the request object which will be passed through the filter chain.
      javax.servlet.http.HttpServletResponse getFirewalledResponse​(javax.servlet.http.HttpServletResponse response)
      Provides the response which will be passed through the filter chain.
      void setAllowBackSlash​(boolean allowBackSlash)
      Determines if a backslash "\" or a URL encoded backslash "%5C" should be allowed in the path or not.
      void setAllowedHeaderNames​(java.util.function.Predicate<java.lang.String> allowedHeaderNames)
      Determines which header names should be allowed.
      void setAllowedHeaderValues​(java.util.function.Predicate<java.lang.String> allowedHeaderValues)
      Determines which header values should be allowed.
      void setAllowedHostnames​(java.util.function.Predicate<java.lang.String> allowedHostnames)
      Determines which hostnames should be allowed.
      void setAllowedHttpMethods​(java.util.Collection<java.lang.String> allowedHttpMethods)
      Determines which HTTP methods should be allowed.
      void setAllowedParameterNames​(java.util.function.Predicate<java.lang.String> allowedParameterNames)
      Determines which parameter names should be allowed.
      void setAllowedParameterValues​(java.util.function.Predicate<java.lang.String> allowedParameterValues)
      Determines which parameter values should be allowed.
      void setAllowNull​(boolean allowNull)
      Determines if a null "\0" or a URL encoded nul "%00" should be allowed in the path or not.
      void setAllowSemicolon​(boolean allowSemicolon)
      Determines if semicolon is allowed in the URL (i.e.
      void setAllowUrlEncodedCarriageReturn​(boolean allowUrlEncodedCarriageReturn)
      Determines if a URL encoded Carriage Return is allowed in the path or not.
      void setAllowUrlEncodedDoubleSlash​(boolean allowUrlEncodedDoubleSlash)
      Determines if double slash "//" that is URL encoded "%2F%2F" should be allowed in the path or not.
      void setAllowUrlEncodedLineFeed​(boolean allowUrlEncodedLineFeed)
      Determines if a URL encoded Line Feed is allowed in the path or not.
      void setAllowUrlEncodedLineSeparator​(boolean allowUrlEncodedLineSeparator)
      Determines if a URL encoded line separator is allowed in the path or not.
      void setAllowUrlEncodedParagraphSeparator​(boolean allowUrlEncodedParagraphSeparator)
      Determines if a URL encoded paragraph separator is allowed in the path or not.
      void setAllowUrlEncodedPercent​(boolean allowUrlEncodedPercent)
      Determines if a percent "%" that is URL encoded "%25" should be allowed in the path or not.
      void setAllowUrlEncodedPeriod​(boolean allowUrlEncodedPeriod)
      Determines if a period "." that is URL encoded "%2E" should be allowed in the path or not.
      void setAllowUrlEncodedSlash​(boolean allowUrlEncodedSlash)
      Determines if a slash "/" that is URL encoded "%2F" should be allowed in the path or not.
      void setUnsafeAllowAnyHttpMethod​(boolean unsafeAllowAnyHttpMethod)
      Sets if any HTTP method is allowed.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Constructor Detail

      • StrictHttpFirewall

        public StrictHttpFirewall()

    • Method Detail

      • setUnsafeAllowAnyHttpMethod

        public void setUnsafeAllowAnyHttpMethod​(boolean unsafeAllowAnyHttpMethod)
        Sets if any HTTP method is allowed. If this set to true, then no validation on the HTTP method will be performed. This can open the application up to HTTP Verb tampering and XST attacks
        Parameters:
        unsafeAllowAnyHttpMethod - if true, disables HTTP method validation, else resets back to the defaults. Default is false.
        Since:
        5.1
        See Also:
        setAllowedHttpMethods(Collection)

      • setAllowedHttpMethods

        public void setAllowedHttpMethods​(java.util.Collection<java.lang.String> allowedHttpMethods)

        Determines which HTTP methods should be allowed. The default is to allow "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", and "PUT".

        Parameters:
        allowedHttpMethods - the case-sensitive collection of HTTP methods that are allowed.
        Since:
        5.1
        See Also:
        setUnsafeAllowAnyHttpMethod(boolean)

      • setAllowSemicolon

        public void setAllowSemicolon​(boolean allowSemicolon)

        Determines if semicolon is allowed in the URL (i.e. matrix variables). The default is to disable this behavior because it is a common way of attempting to perform Reflected File Download Attacks. It is also the source of many exploits which bypass URL based security.

        For example, the following CVEs are a subset of the issues related to ambiguities in the Servlet Specification on how to treat semicolons that led to CVEs:

        If you are wanting to allow semicolons, please reconsider as it is a very common source of security bypasses. A few common reasons users want semicolons and alternatives are listed below:

        • Including the JSESSIONID in the path - You should not include session id (or any sensitive information) in a URL as it can lead to leaking. Instead use Cookies.
        • Matrix Variables - Users wanting to leverage Matrix Variables should consider using HTTP parameters instead.
        Parameters:
        allowSemicolon - should semicolons be allowed in the URL. Default is false

      • setAllowUrlEncodedSlash

        public void setAllowUrlEncodedSlash​(boolean allowUrlEncodedSlash)

        Determines if a slash "/" that is URL encoded "%2F" should be allowed in the path or not. The default is to not allow this behavior because it is a common way to bypass URL based security.

        For example, due to ambiguities in the servlet specification, the value is not parsed consistently which results in different values in HttpServletRequest path related values which allow bypassing certain security constraints.

        Parameters:
        allowUrlEncodedSlash - should a slash "/" that is URL encoded "%2F" be allowed in the path or not. Default is false.

      • setAllowUrlEncodedDoubleSlash

        public void setAllowUrlEncodedDoubleSlash​(boolean allowUrlEncodedDoubleSlash)

        Determines if double slash "//" that is URL encoded "%2F%2F" should be allowed in the path or not. The default is to not allow.

        Parameters:
        allowUrlEncodedDoubleSlash - should a slash "//" that is URL encoded "%2F%2F" be allowed in the path or not. Default is false.

      • setAllowUrlEncodedPeriod

        public void setAllowUrlEncodedPeriod​(boolean allowUrlEncodedPeriod)

        Determines if a period "." that is URL encoded "%2E" should be allowed in the path or not. The default is to not allow this behavior because it is a frequent source of security exploits.

        For example, due to ambiguities in the servlet specification a URL encoded period might lead to bypassing security constraints through a directory traversal attack. This is because the path is not parsed consistently which results in different values in HttpServletRequest path related values which allow bypassing certain security constraints.

        Parameters:
        allowUrlEncodedPeriod - should a period "." that is URL encoded "%2E" be allowed in the path or not. Default is false.

      • setAllowBackSlash

        public void setAllowBackSlash​(boolean allowBackSlash)

        Determines if a backslash "\" or a URL encoded backslash "%5C" should be allowed in the path or not. The default is not to allow this behavior because it is a frequent source of security exploits.

        For example, due to ambiguities in the servlet specification a URL encoded period might lead to bypassing security constraints through a directory traversal attack. This is because the path is not parsed consistently which results in different values in HttpServletRequest path related values which allow bypassing certain security constraints.

        Parameters:
        allowBackSlash - a backslash "\" or a URL encoded backslash "%5C" be allowed in the path or not. Default is false

      • setAllowNull

        public void setAllowNull​(boolean allowNull)

        Determines if a null "\0" or a URL encoded nul "%00" should be allowed in the path or not. The default is not to allow this behavior because it is a frequent source of security exploits.

        Parameters:
        allowNull - a null "\0" or a URL encoded null "%00" be allowed in the path or not. Default is false
        Since:
        5.4

      • setAllowUrlEncodedPercent

        public void setAllowUrlEncodedPercent​(boolean allowUrlEncodedPercent)

        Determines if a percent "%" that is URL encoded "%25" should be allowed in the path or not. The default is not to allow this behavior because it is a frequent source of security exploits.

        For example, this can lead to exploits that involve double URL encoding that lead to bypassing security constraints.

        Parameters:
        allowUrlEncodedPercent - if a percent "%" that is URL encoded "%25" should be allowed in the path or not. Default is false

      • setAllowUrlEncodedCarriageReturn

        public void setAllowUrlEncodedCarriageReturn​(boolean allowUrlEncodedCarriageReturn)
        Determines if a URL encoded Carriage Return is allowed in the path or not. The default is not to allow this behavior because it is a frequent source of security exploits.
        Parameters:
        allowUrlEncodedCarriageReturn - if URL encoded Carriage Return is allowed in the URL or not. Default is false.

      • setAllowUrlEncodedLineFeed

        public void setAllowUrlEncodedLineFeed​(boolean allowUrlEncodedLineFeed)
        Determines if a URL encoded Line Feed is allowed in the path or not. The default is not to allow this behavior because it is a frequent source of security exploits.
        Parameters:
        allowUrlEncodedLineFeed - if URL encoded Line Feed is allowed in the URL or not. Default is false.

      • setAllowUrlEncodedParagraphSeparator

        public void setAllowUrlEncodedParagraphSeparator​(boolean allowUrlEncodedParagraphSeparator)
        Determines if a URL encoded paragraph separator is allowed in the path or not. The default is not to allow this behavior because it is a frequent source of security exploits.
        Parameters:
        allowUrlEncodedParagraphSeparator - if URL encoded paragraph separator is allowed in the URL or not. Default is false.

      • setAllowUrlEncodedLineSeparator

        public void setAllowUrlEncodedLineSeparator​(boolean allowUrlEncodedLineSeparator)
        Determines if a URL encoded line separator is allowed in the path or not. The default is not to allow this behavior because it is a frequent source of security exploits.
        Parameters:
        allowUrlEncodedLineSeparator - if URL encoded line separator is allowed in the URL or not. Default is false.

      • setAllowedHeaderNames

        public void setAllowedHeaderNames​(java.util.function.Predicate<java.lang.String> allowedHeaderNames)

        Determines which header names should be allowed. The default is to reject header names that contain ISO control characters and characters that are not defined.

        Parameters:
        allowedHeaderNames - the predicate for testing header names
        Since:
        5.4
        See Also:
        Character.isISOControl(int), Character.isDefined(int)

      • setAllowedHeaderValues

        public void setAllowedHeaderValues​(java.util.function.Predicate<java.lang.String> allowedHeaderValues)

        Determines which header values should be allowed. The default is to reject header values that contain ISO control characters and characters that are not defined.

        Parameters:
        allowedHeaderValues - the predicate for testing hostnames
        Since:
        5.4
        See Also:
        Character.isISOControl(int), Character.isDefined(int)

      • setAllowedParameterNames

        public void setAllowedParameterNames​(java.util.function.Predicate<java.lang.String> allowedParameterNames)
        Determines which parameter names should be allowed. The default is to reject header names that contain ISO control characters and characters that are not defined.
        Parameters:
        allowedParameterNames - the predicate for testing parameter names
        Since:
        5.4
        See Also:
        Character.isISOControl(int), Character.isDefined(int)

      • setAllowedParameterValues

        public void setAllowedParameterValues​(java.util.function.Predicate<java.lang.String> allowedParameterValues)

        Determines which parameter values should be allowed. The default is to allow any parameter value.

        Parameters:
        allowedParameterValues - the predicate for testing parameter values
        Since:
        5.4

      • setAllowedHostnames

        public void setAllowedHostnames​(java.util.function.Predicate<java.lang.String> allowedHostnames)

        Determines which hostnames should be allowed. The default is to allow any hostname.

        Parameters:
        allowedHostnames - the predicate for testing hostnames
        Since:
        5.2

      • getFirewalledResponse

        public javax.servlet.http.HttpServletResponse getFirewalledResponse​(javax.servlet.http.HttpServletResponse response)
        Description copied from interface: HttpFirewall
        Provides the response which will be passed through the filter chain.
        Specified by:
        getFirewalledResponse in interface HttpFirewall
        Parameters:
        response - the original response
        Returns:
        either the original response or a replacement/wrapper.

      • getEncodedUrlBlocklist

        public java.util.Set<java.lang.String> getEncodedUrlBlocklist()
        Provides the existing encoded url blocklist which can add/remove entries from
        Returns:
        the existing encoded url blocklist, never null

      • getDecodedUrlBlocklist

        public java.util.Set<java.lang.String> getDecodedUrlBlocklist()
        Provides the existing decoded url blocklist which can add/remove entries from
        Returns:
        the existing decoded url blocklist, never null

      • getEncodedUrlBlacklist

        @Deprecated
public java.util.Set<java.lang.String> getEncodedUrlBlacklist()
        Deprecated.
        Use getEncodedUrlBlocklist() instead
        Provides the existing encoded url blocklist which can add/remove entries from
        Returns:
        the existing encoded url blocklist, never null

      • getDecodedUrlBlacklist

        public java.util.Set<java.lang.String> getDecodedUrlBlacklist()
        Provides the existing decoded url blocklist which can add/remove entries from
        Returns:
        the existing decoded url blocklist, never null