SEC-1584: Addition of HttpFirewall strategy to FilterChainProxy to reject un-normalized requests and wrap the incoming request object before processing by the security filter chain to provide a more consistent representation of paths than is guaranteed by the servlet spec. The wrapper strips path parameters from pathInfo and servletPath to provide consistency of URL matching across servlet containers and protect against bypassing security constraints by the malicious addition of such parameters to the URL. The paths are canonicalized further by replacing of multiple sequences of "/" characters with a single "/".

This commit is contained in:
Luke Taylor
2010-10-03 01:04:26 +01:00
parent 695c8f4ad6
commit 7d97adc687
11 changed files with 583 additions and 52 deletions

View File

@@ -116,18 +116,18 @@ public class FilterChainProxyConfigTests {
}
private void checkPathAndFilterOrder(FilterChainProxy filterChainProxy) throws Exception {
List<Filter> filters = filterChainProxy.getFilters("/foo/blah");
List<Filter> filters = filterChainProxy.getFilters("/foo/blah;x=1");
assertEquals(1, filters.size());
assertTrue(filters.get(0) instanceof SecurityContextHolderAwareRequestFilter);
filters = filterChainProxy.getFilters("/some/other/path/blah");
filters = filterChainProxy.getFilters("/some;x=2,y=3/other/path;z=4/blah");
assertNotNull(filters);
assertEquals(3, filters.size());
assertTrue(filters.get(0) instanceof SecurityContextPersistenceFilter);
assertTrue(filters.get(1) instanceof SecurityContextHolderAwareRequestFilter);
assertTrue(filters.get(2) instanceof SecurityContextHolderAwareRequestFilter);
filters = filterChainProxy.getFilters("/do/not/filter");
filters = filterChainProxy.getFilters("/do/not/filter;x=7");
assertEquals(0, filters.size());
filters = filterChainProxy.getFilters("/another/nonspecificmatch");