Class StrictHttpFirewall

java.lang.Object
org.springframework.security.web.firewall.StrictHttpFirewall
All Implemented Interfaces:
HttpFirewall

public class StrictHttpFirewall extends Object implements HttpFirewall

A strict implementation of HttpFirewall that rejects any suspicious requests with a RequestRejectedException.

The following rules are applied to the firewall:

Since:
4.2.4
See Also:
  • Constructor Details

    • StrictHttpFirewall

      public StrictHttpFirewall()
  • Method Details

    • setUnsafeAllowAnyHttpMethod

      public void setUnsafeAllowAnyHttpMethod(boolean unsafeAllowAnyHttpMethod)
      Sets if any HTTP method is allowed. If this set to true, then no validation on the HTTP method will be performed. This can open the application up to HTTP Verb tampering and XST attacks
      Parameters:
      unsafeAllowAnyHttpMethod - if true, disables HTTP method validation, else resets back to the defaults. Default is false.
      Since:
      5.1
      See Also:
    • setAllowedHttpMethods

      public void setAllowedHttpMethods(Collection<String> allowedHttpMethods)

      Determines which HTTP methods should be allowed. The default is to allow "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", and "PUT".

      Parameters:
      allowedHttpMethods - the case-sensitive collection of HTTP methods that are allowed.
      Since:
      5.1
      See Also:
    • setAllowSemicolon

      public void setAllowSemicolon(boolean allowSemicolon)

      Determines if semicolon is allowed in the URL (i.e. matrix variables). The default is to disable this behavior because it is a common way of attempting to perform Reflected File Download Attacks. It is also the source of many exploits which bypass URL based security.

      For example, the following CVEs are a subset of the issues related to ambiguities in the Servlet Specification on how to treat semicolons that led to CVEs:

      If you are wanting to allow semicolons, please reconsider as it is a very common source of security bypasses. A few common reasons users want semicolons and alternatives are listed below:

      • Including the JSESSIONID in the path - You should not include session id (or any sensitive information) in a URL as it can lead to leaking. Instead use Cookies.
      • Matrix Variables - Users wanting to leverage Matrix Variables should consider using HTTP parameters instead.
      Parameters:
      allowSemicolon - should semicolons be allowed in the URL. Default is false
    • setAllowUrlEncodedSlash

      public void setAllowUrlEncodedSlash(boolean allowUrlEncodedSlash)

      Determines if a slash "/" that is URL encoded "%2F" should be allowed in the path or not. The default is to not allow this behavior because it is a common way to bypass URL based security.

      For example, due to ambiguities in the servlet specification, the value is not parsed consistently which results in different values in HttpServletRequest path related values which allow bypassing certain security constraints.

      Parameters:
      allowUrlEncodedSlash - should a slash "/" that is URL encoded "%2F" be allowed in the path or not. Default is false.
    • setAllowUrlEncodedDoubleSlash

      public void setAllowUrlEncodedDoubleSlash(boolean allowUrlEncodedDoubleSlash)

      Determines if double slash "//" that is URL encoded "%2F%2F" should be allowed in the path or not. The default is to not allow.

      Parameters:
      allowUrlEncodedDoubleSlash - should a slash "//" that is URL encoded "%2F%2F" be allowed in the path or not. Default is false.
    • setAllowUrlEncodedPeriod

      public void setAllowUrlEncodedPeriod(boolean allowUrlEncodedPeriod)

      Determines if a period "." that is URL encoded "%2E" should be allowed in the path or not. The default is to not allow this behavior because it is a frequent source of security exploits.

      For example, due to ambiguities in the servlet specification a URL encoded period might lead to bypassing security constraints through a directory traversal attack. This is because the path is not parsed consistently which results in different values in HttpServletRequest path related values which allow bypassing certain security constraints.

      Parameters:
      allowUrlEncodedPeriod - should a period "." that is URL encoded "%2E" be allowed in the path or not. Default is false.
    • setAllowBackSlash

      public void setAllowBackSlash(boolean allowBackSlash)

      Determines if a backslash "\" or a URL encoded backslash "%5C" should be allowed in the path or not. The default is not to allow this behavior because it is a frequent source of security exploits.

      For example, due to ambiguities in the servlet specification a URL encoded period might lead to bypassing security constraints through a directory traversal attack. This is because the path is not parsed consistently which results in different values in HttpServletRequest path related values which allow bypassing certain security constraints.

      Parameters:
      allowBackSlash - a backslash "\" or a URL encoded backslash "%5C" be allowed in the path or not. Default is false
    • setAllowNull

      public void setAllowNull(boolean allowNull)

      Determines if a null "\0" or a URL encoded nul "%00" should be allowed in the path or not. The default is not to allow this behavior because it is a frequent source of security exploits.

      Parameters:
      allowNull - a null "\0" or a URL encoded null "%00" be allowed in the path or not. Default is false
      Since:
      5.4
    • setAllowUrlEncodedPercent

      public void setAllowUrlEncodedPercent(boolean allowUrlEncodedPercent)

      Determines if a percent "%" that is URL encoded "%25" should be allowed in the path or not. The default is not to allow this behavior because it is a frequent source of security exploits.

      For example, this can lead to exploits that involve double URL encoding that lead to bypassing security constraints.

      Parameters:
      allowUrlEncodedPercent - if a percent "%" that is URL encoded "%25" should be allowed in the path or not. Default is false
    • setAllowUrlEncodedCarriageReturn

      public void setAllowUrlEncodedCarriageReturn(boolean allowUrlEncodedCarriageReturn)
      Determines if a URL encoded Carriage Return is allowed in the path or not. The default is not to allow this behavior because it is a frequent source of security exploits.
      Parameters:
      allowUrlEncodedCarriageReturn - if URL encoded Carriage Return is allowed in the URL or not. Default is false.
    • setAllowUrlEncodedLineFeed

      public void setAllowUrlEncodedLineFeed(boolean allowUrlEncodedLineFeed)
      Determines if a URL encoded Line Feed is allowed in the path or not. The default is not to allow this behavior because it is a frequent source of security exploits.
      Parameters:
      allowUrlEncodedLineFeed - if URL encoded Line Feed is allowed in the URL or not. Default is false.
    • setAllowUrlEncodedParagraphSeparator

      public void setAllowUrlEncodedParagraphSeparator(boolean allowUrlEncodedParagraphSeparator)
      Determines if a URL encoded paragraph separator is allowed in the path or not. The default is not to allow this behavior because it is a frequent source of security exploits.
      Parameters:
      allowUrlEncodedParagraphSeparator - if URL encoded paragraph separator is allowed in the URL or not. Default is false.
    • setAllowUrlEncodedLineSeparator

      public void setAllowUrlEncodedLineSeparator(boolean allowUrlEncodedLineSeparator)
      Determines if a URL encoded line separator is allowed in the path or not. The default is not to allow this behavior because it is a frequent source of security exploits.
      Parameters:
      allowUrlEncodedLineSeparator - if URL encoded line separator is allowed in the URL or not. Default is false.
    • setAllowedHeaderNames

      public void setAllowedHeaderNames(Predicate<String> allowedHeaderNames)

      Determines which header names should be allowed. The default is to reject header names that contain ISO control characters and characters that are not defined.

      Parameters:
      allowedHeaderNames - the predicate for testing header names
      Since:
      5.4
      See Also:
    • setAllowedHeaderValues

      public void setAllowedHeaderValues(Predicate<String> allowedHeaderValues)

      Determines which header values should be allowed. The default is to reject header values that contain ISO control characters and characters that are not defined.

      Parameters:
      allowedHeaderValues - the predicate for testing hostnames
      Since:
      5.4
      See Also:
    • setAllowedParameterNames

      public void setAllowedParameterNames(Predicate<String> allowedParameterNames)
      Determines which parameter names should be allowed. The default is to reject header names that contain ISO control characters and characters that are not defined.
      Parameters:
      allowedParameterNames - the predicate for testing parameter names
      Since:
      5.4
      See Also:
    • setAllowedParameterValues

      public void setAllowedParameterValues(Predicate<String> allowedParameterValues)

      Determines which parameter values should be allowed. The default is to allow any parameter value.

      Parameters:
      allowedParameterValues - the predicate for testing parameter values
      Since:
      5.4
    • setAllowedHostnames

      public void setAllowedHostnames(Predicate<String> allowedHostnames)

      Determines which hostnames should be allowed. The default is to allow any hostname.

      Parameters:
      allowedHostnames - the predicate for testing hostnames
      Since:
      5.2
    • getFirewalledRequest

      public FirewalledRequest getFirewalledRequest(jakarta.servlet.http.HttpServletRequest request) throws RequestRejectedException
      Description copied from interface: HttpFirewall
      Provides the request object which will be passed through the filter chain.
      Specified by:
      getFirewalledRequest in interface HttpFirewall
      Throws:
      RequestRejectedException - if the request should be rejected immediately
    • getFirewalledResponse

      public jakarta.servlet.http.HttpServletResponse getFirewalledResponse(jakarta.servlet.http.HttpServletResponse response)
      Description copied from interface: HttpFirewall
      Provides the response which will be passed through the filter chain.
      Specified by:
      getFirewalledResponse in interface HttpFirewall
      Parameters:
      response - the original response
      Returns:
      either the original response or a replacement/wrapper.
    • getEncodedUrlBlocklist

      public Set<String> getEncodedUrlBlocklist()
      Provides the existing encoded url blocklist which can add/remove entries from
      Returns:
      the existing encoded url blocklist, never null
    • getDecodedUrlBlocklist

      public Set<String> getDecodedUrlBlocklist()
      Provides the existing decoded url blocklist which can add/remove entries from
      Returns:
      the existing decoded url blocklist, never null
    • getEncodedUrlBlacklist

      @Deprecated public Set<String> getEncodedUrlBlacklist()
      Deprecated.
      Provides the existing encoded url blocklist which can add/remove entries from
      Returns:
      the existing encoded url blocklist, never null
    • getDecodedUrlBlacklist

      public Set<String> getDecodedUrlBlacklist()
      Provides the existing decoded url blocklist which can add/remove entries from
      Returns:
      the existing decoded url blocklist, never null