DefaultHttpFirewall

Class Overview

Default implementation which wraps requests in order to provide consistent values of the servletPath and pathInfo, which do not contain path parameters (as defined in RFC 2396). Different servlet containers interpret the servlet spec differently as to how path parameters are treated and it is possible they might be added in order to bypass particular security constraints. When using this implementation, they will be removed for all requests as the request passes through the security filter chain. Note that this means that any segments in the decoded path which contain a semi-colon, will have the part following the semi-colon removed for request matching. Your application should not contain any valid paths which contain semi-colons.

If any un-normalized paths are found (containing directory-traversal character sequences), the request will be rejected immediately. Most containers normalize the paths before performing the servlet-mapping, but again this is not guaranteed by the servlet spec.

Summary

[Expand] Inherited Methods
From class java.lang.Object Object clone() boolean equals(Object arg0) void finalize() final Class<?> getClass() int hashCode() final void notify() final void notifyAll() String toString() final void wait() final void wait(long arg0, int arg1) final void wait(long arg0)
From interface org.springframework.security.web.firewall.HttpFirewall abstract FirewalledRequest getFirewalledRequest(HttpServletRequest request) Provides the request object which will be passed through the filter chain. abstract HttpServletResponse getFirewalledResponse(HttpServletResponse response) Provides the response which will be passed through the filter chain.