Package org.springframework.security.web.firewall

Class DefaultHttpFirewall

java.lang.Object

org.springframework.security.web.firewall.DefaultHttpFirewall

All Implemented Interfaces:

HttpFirewall

public class DefaultHttpFirewall
extends Object
implements HttpFirewall

User's should consider using StrictHttpFirewall because rather than trying to sanitize a malicious URL it rejects the malicious URL providing better security guarantees.

Default implementation which wraps requests in order to provide consistent values of the servletPath and pathInfo, which do not contain path parameters (as defined in RFC 2396). Different servlet containers interpret the servlet spec differently as to how path parameters are treated and it is possible they might be added in order to bypass particular security constraints. When using this implementation, they will be removed for all requests as the request passes through the security filter chain. Note that this means that any segments in the decoded path which contain a semi-colon, will have the part following the semi-colon removed for request matching. Your application should not contain any valid paths which contain semi-colons.

If any un-normalized paths are found (containing directory-traversal character sequences), the request will be rejected immediately. Most containers normalize the paths before performing the servlet-mapping, but again this is not guaranteed by the servlet spec.

See Also:

• StrictHttpFirewall

Constructor Summary

Constructors

Constructor	Description
DefaultHttpFirewall()

Method Summary

Modifier and Type	Method	Description
FirewalledRequest	getFirewalledRequest(jakarta.servlet.http.HttpServletRequest request)	Provides the request object which will be passed through the filter chain.
jakarta.servlet.http.HttpServletResponse	getFirewalledResponse(jakarta.servlet.http.HttpServletResponse response)	Provides the response which will be passed through the filter chain.
void	setAllowUrlEncodedSlash(boolean allowUrlEncodedSlash)	Sets if the application should allow a URL encoded slash character.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

DefaultHttpFirewall

public DefaultHttpFirewall()

Method Details

getFirewalledRequest

public FirewalledRequest getFirewalledRequest(jakarta.servlet.http.HttpServletRequest request)
                                       throws RequestRejectedException

Description copied from interface: HttpFirewall

Provides the request object which will be passed through the filter chain.

Specified by:

getFirewalledRequest in interface HttpFirewall

Throws:

RequestRejectedException - if the request should be rejected immediately

getFirewalledResponse

public jakarta.servlet.http.HttpServletResponse getFirewalledResponse(jakarta.servlet.http.HttpServletResponse response)

Description copied from interface: HttpFirewall

Provides the response which will be passed through the filter chain.

Specified by:

getFirewalledResponse in interface HttpFirewall

Parameters:

response - the original response

Returns:

either the original response or a replacement/wrapper.

setAllowUrlEncodedSlash

public void setAllowUrlEncodedSlash(boolean allowUrlEncodedSlash)

Sets if the application should allow a URL encoded slash character.

If true (default is false), a URL encoded slash will be allowed in the URL. Allowing encoded slashes can cause security vulnerabilities in some situations depending on how the container constructs the HttpServletRequest.

Parameters:

allowUrlEncodedSlash - the new value (default false)