3

We are using primefaces media component and it generates the url as /javax.faces.resource/dynamiccontent.properties;/ .pdf which contains semicolon(;).

Due to that, we are getting exception i.e. The request was rejected because the URL contained a potentially malicious String.

In Spring Security 5 update by default StrictHttpFirewall is enabled. We can specify to allow semicolon by using setAllowSemicolon(true) in StrictHttpFirewall.

But this will be applicable for all URL.

Is there any way through which we can configure to allow semicolon only for specific URL?

prameela 0807
  • 61
  • 2
  • 5

2 Answers2

1

As the answer above indicated I also added the following XML definition for a custom firewall that allows semi-colons.

<bean id="myHttpFirewall" class="org.springframework.security.web.firewall.StrictHttpFirewall">
    <property name="allowSemicolon" value="true"/>
</bean>

<security:http-firewall ref="myHttpFirewall"/>

However byt itself this had no affect. To use that firewall in my application I had to add it to my FilterChainProxy as follows:

<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
    <constructor-arg>
        <list>
            <security:filter-chain pattern="/**" filters="...."/>
        </list>
    </constructor-arg>
    <property name="firewall" ref="myHttpFirewall"/>
</bean>
runningboffin
  • 76
  • 3
0

If you use xml configuration, Declare your bean:

<bean id="customStrictHttpFirewall"
    class="org.springframework.security.web.firewall.StrictHttpFirewall">
    <property name="allowSemicolon" value="true"/>
</bean>

then in security.xml ref:

<http-firewall ref="customStrictHttpFirewall"/>

if you use annotations, You can search for answers, like this!

王治明
  • 1
  • 2