When adding a gateway like zuul in front of legacy application, you may encounter some errors thrown by Spring security like :
org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";"
Check if your server tomcat add jsessionid into the url with ";", to disable it add:<session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>or in context.xml add coockies true to <context>Since Spring Boot Security gives us a fully functional HTTP Firewall out of the box,
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
HttpFirewall | Black List
We end off with the URL black list which rejects http requests which contain the following …
- semicolons. You can override this with setAllowSemicolon(boolean)
- URL encoded forward slash. (represented as %2f) You can override this with setAllowUrlEncodedSlash(boolean)
- Backslash. You can override this with setAllowBackSlash(boolean)
- URL encoded percent sign (represented as %25). You can override this with setAllowUrlEncodedPercent(boolean)
- URL encoded period (represented as %2e). You can override this with setAllowUrlEncodedPeriod(boolean)
/*@Bean
public HttpFirewall firewall(){
StrictHttpFirewall firewall = new StrictHttpFirewall();
firewall.setAllowSemicolon(true);
return firewall;
}*/
Aucun commentaire:
Enregistrer un commentaire
to criticize, to improve