Spring Security 4.2 中的 StrictHttpFirewall 与 Spring MVC @MatrixVariable

本文介绍了Spring Security 4.2 中的 StrictHttpFirewall 与 Spring MVC @MatrixVariable的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

升级到 spring security 4.2.4 后，我发现 StrictHttpFirewall 现在是默认设置.不幸的是，它不能很好地与 spring MVC @MatrixVariable 一起使用，因为;"不再允许.如何解决这个问题?

Having upgraded to spring security 4.2.4 I discovered that StrictHttpFirewall is now the default.Unfortunately it doesn't play well with spring MVC @MatrixVariable since ";" are not allowed anymore.How to get around that?

示例:

@GetMapping(path = "/{param}")
public void example(@PathVariable String param,
                    @MatrixVariable Map<String, String> matrix) {
    //...
}

可以这样调用:

mockMvc.perform(get("/someparam;key=value"))

矩阵映射将被填充.现在 spring security 阻止了它.

And the matrix map would be populated.Now spring security blocks it.

org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";"

at org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlacklistedUrls(StrictHttpFirewall.java:140)

我可以使用允许使用分号的自定义 HttpFirewall.有没有办法在不使用禁止字符的情况下使用@MatrixVariable?

I could use a custom HttpFirewall that would allow semicolons.Is there a way to use @MatrixVariable without using forbidden characters?

顺便说一句:javadoc 不正确 https://docs.spring.io/autorepo/docs/spring-security/4.2.x/apidocs/index.html?org/springframework/security/web/firewall/StrictHttpFirewall.html

BTW: the javadoc is incorrect https://docs.spring.io/autorepo/docs/spring-security/4.2.x/apidocs/index.html?org/springframework/security/web/firewall/StrictHttpFirewall.html

因为:

5.0.1

我猜它被反向移植了?

推荐答案

您可以使用您自定义的 StrictHttpFirewall 实例来稀释默认的 spring 安全防火墙(风险自担)

You can dilute the default spring security firewall using your custom defined instance of StrictHttpFirewall (at your own risk)

@Bean
public HttpFirewall allowUrlEncodedSlashHttpFirewall() {
    StrictHttpFirewall firewall = new StrictHttpFirewall();
    firewall.setAllowUrlEncodedSlash(true);
    firewall.setAllowSemicolon(true);
    return firewall;
}

然后在WebSecurity中使用这个自定义防火墙bean(Spring boot不需要这个改动)

And then use this custom firewall bean in WebSecurity (Spring boot does not need this change)

@Override
public void configure(WebSecurity web) throws Exception {
  super.configure(web);
  // @formatter:off
  web.httpFirewall(allowUrlEncodedSlashHttpFirewall());
...
}

这将适用于 Spring Security 4.2.4+，但当然会带来一些风险！

That shall work with Spring Security 4.2.4+, but of-course that brings some risks!

这篇关于Spring Security 4.2 中的 StrictHttpFirewall 与 Spring MVC @MatrixVariable的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！