堆栈内存溢出
  简体   繁体   English

在Spring Security 5中仅对某些特定的URL允许分号,即StrictHttpFirewall?

[英]Allow semicolon only for some specific url in Spring Security 5 i.e. StrictHttpFirewall?

 原文  2018-04-11 06:39:28       java/ spring/ spring-security

问题描述

We are using primefaces media component and it generates the url as /javax.faces.resource/dynamiccontent.properties;/ .pdf which contains semicolon( ; ). 我们正在使用primefaces媒体组件,它生成的URL为/javax.faces.resource/dynamiccontent.properties;/ .pdf ,其中包含分号( ; )。

Due to that, we are getting exception ie The request was rejected because the URL contained a potentially malicious String. 因此,我们正在获取异常,即请求被拒绝,因为URL包含潜在的恶意字符串。

In Spring Security 5 update by default StrictHttpFirewall is enabled. 在Spring Security 5中,默认情况下启用了StrictHttpFirewall更新。 We can specify to allow semicolon by using setAllowSemicolon(true) in StrictHttpFirewall. 我们可以通过使用StrictHttpFirewall中的setAllowSemicolon(true)来指定允许分号。

But this will be applicable for all URL. 但这将适用于所有URL。

Is there any way through which we can configure to allow semicolon only for specific URL? 有什么方法可以配置为仅允许特定URL使用分号?

2 个解决方案

解决方案1
 0  2018-08-09 01:19:26

If you use xml configuration, Declare your bean: 如果您使用xml配置,请声明您的bean: 

<bean id="customStrictHttpFirewall"
    class="org.springframework.security.web.firewall.StrictHttpFirewall">
    <property name="allowSemicolon" value="true"/>
</bean>

then in security.xml ref: 然后在security.xml中引用: 

<http-firewall ref="customStrictHttpFirewall"/>

if you use annotations, You can search for answers, like this! 如果您使用注释,则可以搜索答案, 就像这样!

解决方案2
 0  2019-06-05 05:35:35

As the answer above indicated I also added the following XML definition for a custom firewall that allows semi-colons. 如上面的答案所示,我还为允许分号的自定义防火墙添加了以下XML定义。 

<bean id="myHttpFirewall" class="org.springframework.security.web.firewall.StrictHttpFirewall">
    <property name="allowSemicolon" value="true"/>
</bean>

<security:http-firewall ref="myHttpFirewall"/>

However byt itself this had no affect. 但是拜特本身并没有影响。 To use that firewall in my application I had to add it to my FilterChainProxy as follows: 要在我的应用程序中使用该防火墙,我必须将其添加到我的FilterChainProxy中,如下所示: 

<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
    <constructor-arg>
        <list>
            <security:filter-chain pattern="/**" filters="...."/>
        </list>
    </constructor-arg>
    <property name="firewall" ref="myHttpFirewall"/>
</bean>

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 带有Spring Boot的Spring Security 4:静态资源(即CSS,JS,IMG)404问题 - Spring Security 4 with Spring Boot: static resource (i.e. css, js, img) 404 issue Spring Security 只允许访问具有特定用户名的用户 - Spring security allow access only users with specific username 使用 Spring Security 时,在 bean 中获取当前用户名(即 SecurityContext)信息的正确方法是什么? - When using Spring Security, what is the proper way to obtain current username (i.e. SecurityContext) information in a bean? 如何通过分页允许某些用户仅在 Spring Boot / Spring Security 的端点中访问他自己的数据? - How to allow some User only access his own data in endpoint in Spring Boot / Spring Security with pagination? Spring - 仅允许特定的域请求而无需配置 spring 安全性 - Spring - Allow only specific domain requests with out spring configuring spring security 如何禁用WebView加载favicon.ico(即特定URL)? - How to disable WebView load favicon.ico (i.e. specific URL)? 如何在 spring 引导之上编写框架(即在不实现某些接口的情况下编写 spring 引导应用程序) - How to write a framework on top of spring boot (i.e. write a spring boot application without implementing some interfaces) 仅在特定URL上调用自定义Spring Security过滤器 - Invoking a custom Spring Security filter only on specific URL url 到具有 spring 安全性的特定页面 - url to specific page with spring security Spring Data Mongo:如何仅保存日期,即不保存时间 - Spring Data Mongo: How to save only date i.e. not time
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM