How to resolve firewall.RequestRejectedException in saml

Question

After upgrading security version to 4.2.4,

we are getting below exception for url which contains semicolon

ex:

https://url/name=somevalue;value=somevalue

 org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";"

        at org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlacklistedUrls(StrictHttpFirewall.java:140) ~[spring-security-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]

        at org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:120) ~[spring-security-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]

        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:193) ~[spring-security-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]

        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:185) ~[spring-security-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]

        at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) ~[spring-security-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]

So, we did some configuration to custom implement of httpfirewall

      @Bean

      public HttpFirewall allowUrlEncodedSlashHttpFirewall()

      {

        StrictHttpFirewall firewall = new StrictHttpFirewall();

        firewall.setAllowUrlEncodedSlash(true);

        firewall.setAllowSemicolon(true);

        return firewall;

      }

and

   @Override

    public void configure(WebSecurity web) throws Exception

     {

       super.configure(web);

       web.httpFirewall(this.httpFirewall);

      }

After configured, we are facing same issues.

Then I debugged the in-built class StrictHttpFirewall.getFirewalledRequest(HttpServletRequest request)

Sometimes we are getting nested request like :

firewalledRequest[ firewallwedRequest [ …  (request).

and I checked the dofilter() method in filterchainProxy

It’s not clearing SecurityContextHolder, and so FilterChainProxy actually occurs twice in the chain.

Please refer to this issue. A possible duplicate: https://stackoverflow.com/questions/48580584/stricthttpfirewall-in-spring-security-4-2-vs-spring-mvc-matrixvariable/48636757 — Gabriel Kohen, Jun 25 '18 at 14:13
Possible duplicate of [StrictHttpFirewall in spring security 4.2 vs spring MVC @MatrixVariable](https://stackoverflow.com/questions/48580584/stricthttpfirewall-in-spring-security-4-2-vs-spring-mvc-matrixvariable) — dur, Jul 30 '18 at 07:21

How to resolve firewall.RequestRejectedException in saml

0 Answers0