Author |
Message |
21/08/2018 07:14:07
|
msailer
Power User
Joined: 22/06/2015 12:17:44
Messages: 112
Offline
|
Hi,
our application is based on Spring. With an update to the latest spring version the StrictHttpFirewall of Spring is complaining about some characters in a HttpServletRequest. E.g. the ";"
When we use the fileupload button after selecting an image and click on ok a HttpServletRequest with a RequestURL:
Code:
"/my_application/ccupload/UPLOAD_1534835327090_2_slice_0_of_2.ccupload;jsessionid=5DDCC9AE4D3077F70779E0E55BCF421B"
is received. That request contains a ";" when adding the jsessionid. Is that something which is required or can this be concatenated with a different character like "&" or so?
|
|
|
21/08/2018 07:28:46
|
CaptainCasa
Power User
Joined: 21/11/2007 12:23:06
Messages: 5526
Offline
|
Hi,
this is absolutely required if not running in COOKIE-mode. Ths ";jsessionid=" is the default way of writing session information into the URL. So I am a bit "confused" that Spring does not like it...
Regards, Björn
|
Björn Müller, CaptainCasa GmbH |
|
|
21/08/2018 07:34:44
|
msailer
Power User
Joined: 22/06/2015 12:17:44
Messages: 112
Offline
|
Ok I see. So I guess that topic is erased when we switch to yummy cookies right?
|
|
|
21/08/2018 07:47:38
|
CaptainCasa
Power User
Joined: 21/11/2007 12:23:06
Messages: 5526
Offline
|
...from my understanding: yes...! ;-) - Björn
|
Björn Müller, CaptainCasa GmbH |
|
|
21/08/2018 08:09:49
|
msailer
Power User
Joined: 22/06/2015 12:17:44
Messages: 112
Offline
|
Just saw that when we use the client side printing we get:
Code:
/my_app/ccbuffer/BUFFERED_1534838551886_1.ccbuffer/document.pdf;jsessionid=DD64DDA872BBAC89D97FDD9A00D2E378;filename=/document.pdf
Then this filename=/document.pdf would still be concatenated with ";" right?
|
|
|
21/08/2018 08:15:06
|
CaptainCasa
Power User
Joined: 21/11/2007 12:23:06
Messages: 5526
Offline
|
Hi,
you are right...! And this we also do following some convention... - But this in our hands, so we could switch off.
Regards, Björn
|
Björn Müller, CaptainCasa GmbH |
|
|
21/08/2018 08:21:48
|
msailer
Power User
Joined: 22/06/2015 12:17:44
Messages: 112
Offline
|
As a workaround we could also enable ";" but... You know. Not the preferred way
I don't know why Spring suddenly dropped support of ";" (I'll find out) but if we could turn it off somehow it would be the best for us regarding security.
|
|
|
21/08/2018 12:54:11
|
rspiller
Power User
Joined: 20/04/2012 07:37:01
Messages: 59
Offline
|
Hello,
we had the same problem with spring security enabled. And we actually took the "easy" way and allowed semicolon in the URL.
Code:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().anyRequest();
web.httpFirewall(allowUrlEncodedSlashHttpFirewall());
}
@Bean
public HttpFirewall allowUrlEncodedSlashHttpFirewall() {
StrictHttpFirewall firewall = new StrictHttpFirewall();
firewall.setAllowSemicolon(true);
return firewall;
}
}
|
|
|
21/08/2018 12:56:26
|
msailer
Power User
Joined: 22/06/2015 12:17:44
Messages: 112
Offline
|
Yes I currently did that too as a workaround but since our application requires higher security I'm afraid that this won't be the solution :/
|
|
|
|