Phu*_*ong 5 spring spring-security spring-data-jpa spring-boot
我创建了一个控制器来进行数据搜索。但是当我死于关键字'%'时,它将返回HTTP 400错误。这是控制者:
@RequestMapping(value = "/search/{txtKeyWord}")
public String pageVipStory(@PathVariable("txtKeyWord") String txtKeyWord, Model model) {
logger.info("Keyword In URL: " + txtKeyWord);
model.addAttribute("txtKeyWord", txtKeyWord);
model.addAttribute("txtKeyWordEndCode", UriUtils.encode(txtKeyWord, "UTF-8"));
getMenuAndInfo(model, "Search " + txtKeyWord);
return "web/searchPage";
}
通过链接:“ http:// localhost:8080 / search /%25 ”,错误消息:
org.springframework.security.web.firewall.RequestRejectedException:请求被拒绝,因为URL在org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlacklistedUrls(StrictHttpFirewall.java:325)处包含潜在的恶意字符串“%25” [spring-security-web-5.1.1.RELEASE.jar:5.1.1.RELEASE]位于org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:293)〜[spring-security-web- 5.1.1.RELEASE.jar:5.1.1.RELEASE],位于org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:194)〜[spring-security-web-5.1.1.RELEASE.jar:5.1 .1.RELEASE]位于org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)〜[spring-security-web-5.1.1.RELEASE.jar:5.1.1。RELEASE]位于org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)〜[spring-web-5.1.2.RELEASE.jar:5.1.2.RELEASE]。 DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)〜[spring-web-5.1.2.RELEASE.jar:5.1.2.RELEASE]在org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)〜 [tomcat-embed-core-9.0.12.jar:9.0.12]在org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)〜[tomcat-embed-core-9.0.12.jar: 9.0.12],位于org.springframework.web的org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)〜[spring-web-5.1.2.RELEASE.jar:5.1.2.RELEASE]。 filter.OncePerRequestFilter。doFilter(OncePerRequestFilter.java:107)〜[spring-web-5.1.2.RELEASE.jar:5.1.2.RELEASE] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)〜[tomcat -embed-core-9.0.12.jar:9.0.12],位于org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)〜[tomcat-embed-core-9.0.12.jar:9.0。 12],位于org.springframework.web.filter的org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:92)〜[spring-web-5.1.2.RELEASE.jar:5.1.2.RELEASE]。 OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)〜[spring-web-5.1.2.RELEASE.jar:5.1.2.RELEASE]在org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)〜 [tomcat-embed-core-9.0.12.jar:9.0.12]位于org.apache。catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)〜[tomcat-embed-core-9.0.12.jar:9.0.12]在org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:93 )〜[spring-web-5.1.2.RELEASE.jar:5.1.2.RELEASE]在org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)〜[spring-web-5.1.2。在org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)处[RELEASE.jar:5.1.2.RELEASE]〜在组织处的[tomcat-embed-core-9.0.12.jar:9.0.12]。 apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)〜[tomcat-embed-core-9.0.12.jar:9.0.12]在org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter .filterAndRecordMetrics(WebMvcMetricsFilter.java:154)〜[spring-boot-actuator-2.1.0.BUILD-20181030.063958-621.jar:2.1.0.BUILD-SNAPSHOT]在org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.filterAndRecordMetrics(WebMvcMetricsFilter .java:122)〜[spring-boot-actuator-2.1.0.BUILD-20181030.063958-621.jar:2.1.0.BUILD-SNAPSHOT]在org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter。 doFilterInternal(WebMvcMetricsFilter.java:107)〜[spring-boot-actuator-2.1.0.BUILD-20181030.063958-621.jar:2.1.0.BUILD-SNAPSHOT]位于org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter) .java:107)〜[spring-web-5.1.2.RELEASE.jar:5.1.2.RELEASE]在org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)〜[tomcat-embed-核心-9.0.12.jar:9.0.12],位于org.apache.catalina.core。ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)〜[tomcat-embed-core-9.0.12.jar:9.0.12]在org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200)〜[spring -web-5.1.2.RELEASE.jar:5.1.2.RELEASE],位于org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)〜[spring-web-5.1.2.RELEASE.jar: 5.1.2.RELEASE]位于org.apache.catalina的org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)〜[tomcat-embed-core-9.0.12.jar:9.0.12]。 core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)〜[tomcat-embed-core-9.0.12.jar:9.0.12]在org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)〜 [tomcat-embed-core-9.0.12.jar:9.0。12] at org.apache.catalina.authenticator.AuthenticatorBase.invoke上的org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)[tomcat-embed-core-9.0.12.jar:9.0.12] (AuthenticatorBase.java:490)[tomcat-embed-core-9.0.12.jar:9.0.12]在org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)[tomcat-embed-core- org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)的9.0.12.jar:9.0.12] [org.apache的tomcat-embed-core-9.0.12.jar:9.0.12] .catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)[tomcat-embed-core-9.0.12.jar:9.0.12]在org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343 )[tomcat-embed-core-9.0.12.jar:9.0.12],位于org.apache.coyote.http11.Http11Processor。service(Http11Processor.java:408)[tomcat-embed-core-9.0.12.jar:9.0.12] at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)[tomcat-embed-core-9.0 .12.jar:9.0.12],位于org.apache.coyote.AbstractProtocol $ ConnectionHandler.process(AbstractProtocol.java:770)[tomcat-embed-core-9.0.12.jar:9.0.12],位于org.apache。 tomcat.util.net.NioEndpoint $ SocketProcessor.doRun(NioEndpoint.java:1415)[tomcat-embed-core-9.0.12.jar:9.0.12]在org.apache.tomcat.util.net.SocketProcessorBase.run( SocketProcessorBase.java:49)[tomcat-embed-core-9.0.12.jar:9.0.12]在java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)[na:1.8.0_172]在java。 org.apache.tomcat上的util.concurrent.ThreadPoolExecutor $ Worker.run(ThreadPoolExecutor.java:624)[na:1.8.0_172]。util.threads.TaskThread $ WrappingRunnable.run(TaskThread.java:61)[tomcat-embed-core-9.0.12.jar:9.0.12] at java.lang.Thread.run(Thread.java:748)[na :1.8.0_172]
谁能告诉我错误所在。以及如何克服呢?谢谢!
您可以使用您自定义的 StrictHttpFirewall 实例来使用默认的 Spring Security Firewall 。
@Bean
public HttpFirewall allowUrlEncodedPercentHttpFirewall() {
StrictHttpFirewall firewall = new StrictHttpFirewall();
firewall.setAllowUrlEncodedPercent(true);
return firewall;
}
请注意,这可能会导致涉及双重 URL 编码的漏洞利用,从而绕过安全限制。
| 归档时间: |
|
| 查看次数: |
2415 次 |
| 最近记录: |