Skip to content

StrictServerWebExchangeFirewall behavior in Spring-Security-Web 6.3.4 #16019

Closed
@kpolli

Description

@kpolli

Expected Behavior

StrictServerWebExchangeFirewall should be overridable so that allowEncodedSlashes can be set.

Current Behavior

allowEncodedSlashes in StrictServerWebExchangeFirewall can not be set.

Context

I recently updated Spring Security Web to 6.3.4 and immediately noticed requests were failing with The request was rejected because the URL contained a potentially malicious String \"%2F\"

This was previously working so I dug into the code and noticed the error being thrown in this line . Then looking up the call list, I see that StrictServerWebExchangeFirewall object is created in the WebFilterChainProxy class which means StrictServerWebExchangeFirewall is not a bean I can create a custom copy that allows me allowEncodedSlashes. The walk-around which I'm currently trying to get to work is create WebFilterChainProxy as a bean in the WebFluxSecurityConfiguration class.
I would have marked this a bug but I can't tell if Spring Security wants to stop supporting encoded slashes so downgraded to feature enhancement.

Thank you.

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions