1. 首頁
  2. 問答
  3. 春季安全DefaultHttpFirewall - 該requestURI不能包含編碼斜線

春季安全DefaultHttpFirewall - 該requestURI不能包含編碼斜線

2017-01-11 76 views
2

在彈簧引導啓用安全性的Web應用程序,我執行它包含編碼斜線GET請求時收到以下錯誤春季安全DefaultHttpFirewall - 該requestURI不能包含編碼斜線

http://172.16.62.11:8080/customers/emails/BceGjcCovvKn5VM5eEeoG%2FgIr9bh1FpiC0Ofl3umGqU%3D/foo

org.springframework.security.web.firewall.RequestRejectedException: The requestURI cannot contain encoded slash. Got /customers/emails/BceGjcCovvKn5VM5eEeoG%2FgIr9bh1FpiC0Ofl3umGqU%3D/foo 
     at org.springframework.security.web.firewall.DefaultHttpFirewall.getFirewalledRequest(DefaultHttpFirewall.java:56) 
     at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:193) 
     at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) 
     at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) 
     at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) 
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) 
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) 
     at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) 
     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) 
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) 
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) 
     at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:89) 
     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) 
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) 
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) 
     at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77) 
     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) 
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) 
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) 
     at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197) 
     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) 
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) 
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) 
     at org.springframework.boot.actuate.autoconfigure.MetricsFilter.doFilterInternal(MetricsFilter.java:106) 
     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) 
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) 
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) 
     at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) 
     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:108) 
     at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) 
     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) 
     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) 
     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) 
     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:349) 
     at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:784) 
     at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) 
     at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:802) 
     at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1410) 
     at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) 
     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) 
     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) 
     at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) 
     at java.lang.Thread.run(Thread.java:745)

設置System.setProperty("org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH", "true")沒有幫助。

來源

2017-01-11 arturo

回答

11

發現了問題 - 顯然在春季安全,編碼的斜槓的URL中使用的最新版本已被封鎖

https://github.com/spring-projects/spring-security/commit/666e356ebc479194ba51e43bb99fc42f849b6175

爲了克服這個問題,提供自己的HttpFirewall實施WebSecurity如下

@Bean 
public HttpFirewall allowUrlEncodedSlashHttpFirewall() { 
    DefaultHttpFirewall firewall = new DefaultHttpFirewall(); 
    firewall.setAllowUrlEncodedSlash(true); 
    return firewall; 
} 

@Override 
public void configure(WebSecurity web) throws Exception { 
    web.httpFirewall(allowUrlEncodedSlashHttpFirewall()); 
}

來源

2017-01-11 14:18:57 arturo

+0

非常有用!爲我使用1.5.10.RELEASE Spring Boot版本。 –

相關問題

 相關問題