[英]Allow semicolon only for some specific url in Spring Security 5 i.e. StrictHttpFirewall?
We are using primefaces media component and it generates the url as /javax.faces.resource/dynamiccontent.properties;/ .pdf which contains semicolon( ; ). 我们正在使用primefaces媒体组件,它生成的URL为/javax.faces.resource/dynamiccontent.properties;/ .pdf ,其中包含分号( ; )。
Due to that, we are getting exception ie The request was rejected because the URL contained a potentially malicious String. 因此,我们正在获取异常,即请求被拒绝,因为URL包含潜在的恶意字符串。
In Spring Security 5 update by default StrictHttpFirewall is enabled. 在Spring Security 5中,默认情况下启用了StrictHttpFirewall更新。 We can specify to allow semicolon by using setAllowSemicolon(true) in StrictHttpFirewall. 我们可以通过使用StrictHttpFirewall中的setAllowSemicolon(true)来指定允许分号。
But this will be applicable for all URL. 但这将适用于所有URL。
Is there any way through which we can configure to allow semicolon only for specific URL? 有什么方法可以配置为仅允许特定URL使用分号?
If you use xml configuration, Declare your bean: 如果您使用xml配置,请声明您的bean:
<bean id="customStrictHttpFirewall"
class="org.springframework.security.web.firewall.StrictHttpFirewall">
<property name="allowSemicolon" value="true"/>
</bean>
then in security.xml ref: 然后在security.xml中引用:
<http-firewall ref="customStrictHttpFirewall"/>
if you use annotations, You can search for answers, like this! 如果您使用注释,则可以搜索答案, 就像这样!
As the answer above indicated I also added the following XML definition for a custom firewall that allows semi-colons. 如上面的答案所示,我还为允许分号的自定义防火墙添加了以下XML定义。
<bean id="myHttpFirewall" class="org.springframework.security.web.firewall.StrictHttpFirewall">
<property name="allowSemicolon" value="true"/>
</bean>
<security:http-firewall ref="myHttpFirewall"/>
However byt itself this had no affect. 但是拜特本身并没有影响。 To use that firewall in my application I had to add it to my FilterChainProxy as follows: 要在我的应用程序中使用该防火墙,我必须将其添加到我的FilterChainProxy中,如下所示:
<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<constructor-arg>
<list>
<security:filter-chain pattern="/**" filters="...."/>
</list>
</constructor-arg>
<property name="firewall" ref="myHttpFirewall"/>
</bean>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.