Description
Expected Behavior
StrictServerWebExchangeFirewall should be overridable so that allowEncodedSlashes can be set.
Current Behavior
allowEncodedSlashes in StrictServerWebExchangeFirewall can not be set.
Context
I recently updated Spring Security Web to 6.3.4 and immediately noticed requests were failing with The request was rejected because the URL contained a potentially malicious String \"%2F\"
This was previously working so I dug into the code and noticed the error being thrown in this line . Then looking up the call list, I see that StrictServerWebExchangeFirewall object is created in the WebFilterChainProxy class which means StrictServerWebExchangeFirewall is not a bean I can create a custom copy that allows me allowEncodedSlashes. The walk-around which I'm currently trying to get to work is create WebFilterChainProxy as a bean in the WebFluxSecurityConfiguration class.
I would have marked this a bug but I can't tell if Spring Security wants to stop supporting encoded slashes so downgraded to feature enhancement.
Thank you.