Fail to bypass a spring security check using antMatcher method

Question

How should I carefully construct url addresses to bypass forensics in this spring project?

public class SpringSecurityConfig
extends WebSecurityConfigurerAdapter {
    @Bean
    public HttpFirewall httpFirewall() {
        return new CustomHttpFirewall();
    }

    protected void configure(HttpSecurity httpSecurity) throws Exception {
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl)httpSecurity.authorizeRequests().antMatchers(new String[]{"/admin/**"})).authenticated();
    }
}

Above is the statement for authentication for this spring project.

And the project have the following statement in the firewall file.

public class CustomHttpFirewall
extends DefaultHttpFirewall {
    protected void configure(StrictHttpFirewall firewalledRequest) {
        firewalledRequest.setAllowUrlEncodedSlash(true);
        firewalledRequest.setAllowUrlEncodedDoubleSlash(true);
        firewalledRequest.setAllowUrlEncodedPeriod(true);
    }
}

This project doesn't use JWT to authenticate a user.

The version number of spring-security in this project is 5.6.3, while which of springframework is 2.7.0

I've tried multiple ways of double-writing the slash and encoding the url multiple times, but all of them failed.

I wander whether there is even a way to bypass this forensic statement.

`WebSecurityConfigurerAdapter` is deprecated – Toerktumlare Aug 19 '23 at 16:41 — Toerktumlare, Aug 19 '23 at 16:41

score 0 · Answer 1 · answered Aug 19 '23 at 16:32

0

I think you should use requestMatchers instead because isn't antMatchers deprecated in the newest SpringSecurity version

answered Aug 19 '23 at 16:32

Yordan Yordanov

11
3

Thanks, that's right. But this question is not about development but security. I'm wondering if this outdated approach poses a tangible security risk – coiloffaraday Aug 20 '23 at 02:23

Fail to bypass a spring security check using antMatcher method

1 Answers1