I'm running into the problem with Spring Security where I get the following error in my Spring Boot application:
org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";"
A solution I found here is to define a customized StrictHttpFirewall bean as described here: StrictHttpFirewall in spring security 4.2 vs spring MVC @MatrixVariable.
However, I'm still getting the error even though I can see that the method defining the bean is being called. It's as if the bean is being instantiated but not used.
I have the bean defined in a configuration class implementing WebMvcConfigurer.
I'm using Spring Boot version 2.0.4. I've tried a few different versions of Spring Security, all with the same result.
What am I doing wrong? Thanks!
EDIT: Here's my (obfuscated) configuration class:
@EnableScheduling
@Configuration
@EnableWebSecurity
@ComponentScan({"com.foo.proj1", "com.foo.proj2"})
public class ApplicationConfiguration implements WebMvcConfigurer {
// Other bean definitions and scheduled tasks
@Bean
public StrictHttpFirewall allowUrlEncodedSlashHttpFirewall() {
logger.info("Setting HTTP firewall override.");
StrictHttpFirewall firewall = new StrictHttpFirewall();
firewall.setAllowUrlEncodedSlash(true);
firewall.setAllowSemicolon(true);
return firewall;
}
}
Comments
Post a Comment