问题描述
升级到 spring security 4.2.4 后,我发现 StrictHttpFirewall 现在是默认设置.不幸的是,它不能很好地与 spring MVC @MatrixVariable 一起使用,因为;"不再允许.如何解决这个问题?
Having upgraded to spring security 4.2.4 I discovered that StrictHttpFirewall is now the default.Unfortunately it doesn't play well with spring MVC @MatrixVariable since ";" are not allowed anymore.How to get around that?
示例:
@GetMapping(path = "/{param}")
public void example(@PathVariable String param,
@MatrixVariable Map<String, String> matrix) {
//...
}
可以这样调用:
mockMvc.perform(get("/someparam;key=value"))
矩阵映射将被填充.现在 spring security 阻止了它.
And the matrix map would be populated.Now spring security blocks it.
org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";"
at org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlacklistedUrls(StrictHttpFirewall.java:140)
我可以使用允许使用分号的自定义 HttpFirewall.有没有办法在不使用禁止字符的情况下使用@MatrixVariable?
I could use a custom HttpFirewall that would allow semicolons.Is there a way to use @MatrixVariable without using forbidden characters?
顺便说一句:javadoc 不正确 https://docs.spring.io/autorepo/docs/spring-security/4.2.x/apidocs/index.html?org/springframework/security/web/firewall/StrictHttpFirewall.html
BTW: the javadoc is incorrect https://docs.spring.io/autorepo/docs/spring-security/4.2.x/apidocs/index.html?org/springframework/security/web/firewall/StrictHttpFirewall.html
因为:
5.0.1
我猜它被反向移植了?
推荐答案
您可以使用您自定义的 StrictHttpFirewall 实例来稀释默认的 spring 安全防火墙(风险自担)
You can dilute the default spring security firewall using your custom defined instance of StrictHttpFirewall (at your own risk)
@Bean
public HttpFirewall allowUrlEncodedSlashHttpFirewall() {
StrictHttpFirewall firewall = new StrictHttpFirewall();
firewall.setAllowUrlEncodedSlash(true);
firewall.setAllowSemicolon(true);
return firewall;
}
然后在WebSecurity中使用这个自定义防火墙bean(Spring boot不需要这个改动)
And then use this custom firewall bean in WebSecurity (Spring boot does not need this change)
@Override
public void configure(WebSecurity web) throws Exception {
super.configure(web);
// @formatter:off
web.httpFirewall(allowUrlEncodedSlashHttpFirewall());
...
}
这将适用于 Spring Security 4.2.4+,但当然会带来一些风险!
That shall work with Spring Security 4.2.4+, but of-course that brings some risks!
这篇关于Spring Security 4.2 中的 StrictHttpFirewall 与 Spring MVC @MatrixVariable的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!