StrictHttpFirewall in spring security 4.2 vs spring MVC @MatrixVariable

by

You can dilute the default spring security firewall using your custom defined instance of StrictHttpFirewall (at your own risk)

@Bean
public HttpFirewall allowUrlEncodedSlashHttpFirewall() {
    StrictHttpFirewall firewall = new StrictHttpFirewall();
    firewall.setAllowUrlEncodedSlash(true);
    firewall.setAllowSemicolon(true);
    return firewall;
}

And then use this custom firewall bean in WebSecurity (Spring boot does not need this change)

@Override
public void configure(WebSecurity web) throws Exception {
  super.configure(web);
  // @formatter:off
  web.httpFirewall(allowUrlEncodedSlashHttpFirewall());
...
}

That shall work with Spring Security 4.2.4+, but of-course that brings some risks!

More Related Contents:

  1. Serving static web resources in Spring Boot & Spring Security application
  2. When to use Spring Security`s antMatcher()?
  3. CharacterEncodingFilter don’t work together with Spring Security 3.2.0
  4. Spring 5.0.3 RequestRejectedException: The request was rejected because the URL was not normalized
  5. How to handle static content in Spring MVC?
  6. Filter invoke twice when register as Spring bean
  7. When using Spring Security, what is the proper way to obtain current username (i.e. SecurityContext) information in a bean?
  8. Setting Precedence of Multiple @ControllerAdvice @ExceptionHandlers
  9. Spring MVC: How to return image in @ResponseBody?
  10. Spring MVC: Validation, Post-Redirect-Get, Partial Updates, Optimistic Concurrency, Field Security
  11. How to disable spring security for particular url
  12. Can Spring Security use @PreAuthorize on Spring controllers methods?
  13. Spring Boot CORS filter – CORS preflight channel did not succeed
  14. Spring mvc @PathVariable
  15. How to enable HTTP response caching in Spring Boot
  16. Dynamic Selection Of JsonView in Spring MVC Controller
  17. spring web, security + web.xml + mvc dispatcher + Bean is created twice
  18. How to configure Spring Security to allow Swagger URL to be accessed without authentication
  19. getting exception: No bean named ‘springSecurityFilterChain’ is defined
  20. How to apply Spring Security filter only on secured endpoints?
  21. Which is better, return “ModelAndView” or “String” on spring3 controller
  22. Spring Security 3.2 CSRF disable for specific URLs
  23. My Application Could not open ServletContext resource
  24. Web-application context/ root application context and transaction manager setup
  25. With Spring Security 3.2.0.RELEASE, how can I get the CSRF token in a page that is purely HTML with no tag libs
  26. Spring REST security – Secure different URLs differently
  27. What does do?
  28. Spring Boot exception: Could not open ServletContext resource [/WEB-INF/dispatcherServlet-servlet.xml]
  29. How to handle IO streams in Spring MVC
  30. Custom Authentication Manager with Spring Security and Java Configuration

Leave a Comment