web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentia

原创 已于 2022-08-15 14:42:45 修改 · 4.8k 阅读 · 0 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
文章标签:

#前端 #java #servlet

于 2019-12-18 20:17:47 首次发布
本文探讨了Spring Security中因URL包含潜在恶意字符串而引发的RequestRejectedException异常,并提供了解决方案,通过自定义过滤器跳过特定请求的检查。

spring security 自带url 校验失败 因为请求的url不合法,但是对接方又不能修改,只能平台适配

org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String "%2E"
    at org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlacklistedUrls(StrictHttpFirewall.java:265)
    at org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:245)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:193)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
    at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
    at 
    at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
    at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
    at org.springframework.boot.actuate.autoconfigure.MetricsFilter.doFilterInternal(MetricsFilter.java:100)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
    at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
    at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
    at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:65)
    at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
    at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
    at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
    at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
    at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
    at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
    at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
    at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
    at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
    at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
    at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
    at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
    at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:336)
    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)

解决方法

在对应请求在对过滤链进行放行处理

@Configuration
@EnableWebMvc
public  class WebConfig extends WebMvcConfigurerAdapter {


    @Override
    public void addResourceHandlers(ResourceHandlerRegistry registry) {
//将所有/static/** 访问都映射到classpath:/static/ 目录下
        registry.addResourceHandler("/**").addResourceLocations("classpath:/static/");
        registry.addResourceHandler("/swagger-ui.html").addResourceLocations("classpath:/META-INF/resources/");
        registry.addResourceHandler("/webjars/**").addResourceLocations("classpath:/META-INF/resources/webjars/");
        registry.addResourceHandler("/update/**").addResourceLocations("classpath:/update/");
    }


    @Override
    public void configureMessageConverters(List<HttpMessageConverter<?>> converters) {
        MappingJackson2HttpMessageConverter converter = new MappingJackson2HttpMessageConverter();

        ObjectMapper mapper = new ObjectMapper();
        mapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
        mapper.setDateFormat(new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSXXX"));
        converter.setObjectMapper(mapper);
        converters.add(converter);
    }


    @Bean
    public ViewResolver getViewResolver(){
        InternalResourceViewResolver resolver = new InternalResourceViewResolver();
        resolver.setPrefix("/static/");
        resolver.setSuffix(".html");
        return resolver;
    }

    @Bean
    public FilterRegistrationBean myUpdateFilterRegistration() {
        FilterRegistrationBean registration = new FilterRegistrationBean();
        registration.setFilter(new MyUpdateFilter());
        registration.addUrlPatterns("/*");
        registration.addUrlPatterns();
        registration.setName("myUpdateFilter");
        registration.setOrder(-102);
        return registration;
    }


}

public class MyUpdateFilter implements Filter {

    private KikGaLogger log = LogUtil.get();

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)throws IOException, ServletException {
        final HttpServletRequest request = (HttpServletRequest) servletRequest;
        final HttpServletResponse response = (HttpServletResponse) servletResponse;
        String servletPath = request.getServletPath();
        //update下载
        if (StringUtils.isNotBlank(servletPath) && servletPath.contains("/update/")) {
            log.info("MyUpdateFilter filter:" + servletPath);
            skipFilter(filterChain);
        }
        filterChain.doFilter(servletRequest, servletResponse);

    }

    @Override
    public void destroy() {

    }
    /**
     * 方法名称:skipFilter
     * 方法描述:跳过filter()
     * 返回值描述:
     */
    private void skipFilter(FilterChain chain) {
        try {
            Field field = chain.getClass().getDeclaredField("filters");
            field.setAccessible(true);
            List<ManagedFilter> filters = (List<ManagedFilter>) field.get(chain);
            int k = 0;
            Iterator<ManagedFilter> iterators = filters.iterator();
            while (iterators.hasNext()){
                ManagedFilter filter = iterators.next();
                if (filter==null) {
                    continue;
                }
                String name = filter.getFilterInfo().getName();
                //cas过滤
                if(name.contains("cas")||name.contains("Security")){
                    iterators.remove();
                }
            }
            //field.set("filters",filters);
            field.setAccessible(false);
        } catch (Exception e) {
            log.error("skipFilter error",e);
        }
    }

}

项目服务间访问提示The request was rejected because the URL contained a potentially malicious String “//“
喜羊羊love红太狼
01-23 1510
1.开发过程最好是按照规范开发,可以避免诸如此类低级问题。比如项目中前缀是那么controller统一这样的话拼接到一起就不会有双横线问题了2.当然如果允许路径中存在双横线则可以在security中添加配置@Bean//此处可添加别的规则,目前只设置 允许双 //
源码分析异常错误The request was rejected because the URL contained a potentially malicious String “//“
qq_35937303的博客
07-18 544
The request was rejected because the URL contained a potentially malicious String "//"错误分析
SpringBoot中SpringSecurity 报错:org.springframework.security.web.firewall.RequestRejectedException
一个简单的描述,我想你不会感兴趣的
08-04 4608
根据报错org.springframework.security.web.firewall.RequestRejectedException中的信息分析错误
org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because
u013430054的博客
04-22 1万+
org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String "%3B"org.springframework.security.web.firewall.Req...
报错: The request was rejected because the URL contained a potentially malicious String “//“
比个帽的博客
08-16 7499
Spring Security 框架中提供了一个 HttpFirewall,这是一个请求防火墙,它可以自动处理掉一些非法请求,请求地址格式中不能包含;等字符或编码,必须是标准化 URL。如果希望请求地址中可以出现 %,在SpringSecurity中进行如下配置。
SpringBoot整合升级Spring Security 报错 【The request was rejected because the URL was not normalized】
Lan_Xuan
06-10 1681
SpringBoot整合升级Spring Security 报错 【The request was rejected because the URL was not normalized】 前言 最近LZ给项目框架升级, 从Spring1.x升级到Spring2.x, 在这里就不多赘述两个版本之间的区别以及升级的原因。 关于升级过程中踩的坑,在其他博文中会做比较详细的记录,以便给读者参考,不要掉进...
MyCat bug记录:backend connect: java.lang.IllegalArgumentException: Invalid DataSource:0
weixin_44991304的博客
07-18 3792
今天在搭建mycat分片配置中遇到了 报了backend connect: java.lang.IllegalArgumentException: Invalid DataSource:0 在百度上查询了一番依旧没有找到解决的办法,一开始没有想到去查看日志文件,以为是配置文件配错了,一直检查修改,始终没有得到解决。后来去查看了一下mycat.log文件,不查不知道一查吓一跳有1000多条记录都是报这个错误的。 于是去百度上查找了一下 java.net.NoRouteToHostException: 没有
zabbix Get value from agent failed: cannot connect to [192.168.199.166]:10050]:[113]No route to host
夫君子之行,静以修身,俭以养德,非淡泊无以明志,非宁静无以致远.
05-05 3636
客户端配置zabbix-agent 后,网页端出现Get value from agent failed: cannot connect to [192.168.199.166]:10050]:[113]No route to host的错误,主机没法被监听 1、服务器端ping 客户端 ping 192.168.199.166 2、如果能ping通,则是因为防火墙的原因,需关闭防火墙 CentOS7 的防火墙配置跟以前版本有很大区别,CentOS7这个版本的防火墙默认使用的是firewall,与.
【SSM_bugs】The request was rejected because the URL contained a potentially malicious String “//“
m0_46308522的博客
06-06 424
The request was rejected because the URL contained a potentially malicious String "//"
The request was rejected because the URL contained a potentially malicious String “//“
愤怒的苹果ext的博客
02-07 4765
报错详情 org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String “//” at org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlacklistedUrls(StrictH
jar包启动报错:The request was rejected because the URL contained a potentially malicious String “%25“
IT小辉同学
08-16 2842
晚安,玛卡巴卡——
The request was rejected because the URL contained a potentially malicious String ";"报错解决,
热门推荐
zhuyongru的专栏
09-11 2万+
去掉 URL 中讨厌的 jsessionid 在Java开发的网站中,经常会出现在URL中包含有jsessionid,用来记录session。 这是因为如果浏览器不支持cookie,JSP容器通过在URL中包含jsessionid来达到session的效果。 第一次访问的时候服务器不知道客户端有没有禁用cookie,所以会在超链接上加上jsessionid,在session过期以前第二次访问的...
SpringSecurity:request was rejected because the URL contained a potentially malicious String “//“
Ricardo.M.Yu的博客
03-15 3461
spring security路径问题
The request was rejected because the URL contained a potentially malicious String “%2e“
脑神
01-11 5073
日志出现: [http-nio-80-exec-3] ERROR o.a.c.c.C.[.[localhost].[/].[dispatcherServlet] - Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception org.springframework.security.web.firewall.RequestRejectedException: The request w
解决 The request was rejected because the URL contained a potentially malicious String “;“
jingchao1998的博客
06-04 1003
在 Spring Security 项目中,默认使用 StrictHttpFirewall 对象,该对象对一些疑似恶意攻击的请求也进行了拒绝处理。假如该对象对我们的项目来说过于严格,那我们可以通过配置的方式定制哪些请求需要被拒绝,当然相应的,我们的应用程序也更容易受到攻击。URL地址中携带 jsessionid 包含 “;
threw exception org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially
最新发布
03-11
<think>好的,我现在需要解决用户提到的Spring Security中的RequestRejectedException问题。用户提供的引用信息显示,这个错误通常是因为URL未规范化或被检测到潜在的安全风险。用户已经给出了一些解决方法,比如配置DefaultHttpFirewall,但可能还需要更详细的步骤或解释。 首先,我要确认这个异常的原因。根据引用[1]和[4],当URL未标准化或包含可疑字符时,Spring Security的严格防火墙会拦截请求。例如,双斜杠、路径遍历序列(如../)或特殊字符可能导致这个问题。 接下来,用户提到的解决方案是在启动类中配置DefaultHttpFirewall的Bean。引用[1]和[2]都提到了这一点,所以这应该是有效的。但需要详细说明如何正确配置,可能需要代码示例,并解释为什么这样做有效。 另外,引用[3]提到了SecurityContextHolderAwareRequestFilter,这可能在处理请求包装时相关,但用户的问题更直接与防火墙配置有关,所以可能不需要深入这部分,除非有其他问题。 用户可能需要了解其他可能的解决方案,比如放宽URL检查或自定义防火墙规则。例如,如果对接方无法修改URL,可能需要平台适配,如引用[4]所述。这时候可能需要自定义HttpFirewall来允许某些特定的非规范URL。 需要注意配置DefaultHttpFirewall可能带来的安全风险,比如允许不规范的URL可能增加攻击面。需要提醒用户权衡安全性和需求,并建议其他安全措施。 最后,生成相关问题时要围绕解决方案、替代方法、安全影响和异常的其他原因展开,以帮助用户全面了解问题。</think>### 解决Spring SecurityRequestRejectedException错误的方法 当Spring Security检测到URL不规范或包含潜在危险字符时,会抛出`org.springframework.security.web.firewall.RequestRejectedException`。以下是分步解决方案: --- #### 方法1:配置`DefaultHttpFirewall`放宽URL检查 1. **在Spring Boot启动类中定义Bean** 通过替换默认的`StrictHttpFirewall`为更宽松的`DefaultHttpFirewall`,允许部分非规范化URL: ```java @Bean public HttpFirewall defaultHttpFirewall() { return new DefaultHttpFirewall(); } ``` **原理**:`DefaultHttpFirewall`对URL的检查较宽松,可避免因双斜杠(`//`)、路径遍历(如`../`)或特殊字符触发的拦截[^1][^2]。 2. **确保Security配置引用该Bean** 在`SecurityConfig`类中,需显式配置`httpFirewall`: ```java @Autowired private HttpFirewall httpFirewall; @Override protected void configure(HttpSecurity http) throws Exception { http .requestMatcher(request -> httpFirewall.getFirewalledRequest((HttpServletRequest) request)) // 其他安全配置 } ``` --- #### 方法2:自定义`HttpFirewall`规则(精细控制) 若需保留安全检查但调整特定规则,可继承`StrictHttpFirewall`并重写方法: ```java @Bean public HttpFirewall customFirewall() { StrictHttpFirewall firewall = new StrictHttpFirewall(); firewall.setAllowUrlEncodedSlash(true); // 允许URL编码的斜杠(如%2F) firewall.setAllowUrlEncodedPercent(true); // 允许百分号 firewall.setAllowBackSlash(true); // 允许反斜杠 return firewall; } ``` **适用场景**:需兼容历史API或第三方系统非规范URL时[^4]。 --- #### 方法3:检查请求处理链的过滤器配置 若异常由过滤器链中的包装类引发(如`SecurityContextHolderAwareRequestFilter`),可尝试调整过滤器顺序或禁用非必要过滤器: ```java @Override protected void configure(HttpSecurity http) throws Exception { http .addFilterBefore(customRequestFilter(), SecurityContextHolderAwareRequestFilter.class) // 其他配置 } ``` --- #### 安全风险提示 放宽URL检查可能导致路径注入、目录遍历等漏洞。建议: - 仅在生产环境临时使用`DefaultHttpFirewall` - 配合输入验证和输出编码 - 监控日志中的异常请求模式[^4] ---
评论
成就一亿技术人!
拼手气红包6.0元
还能输入1000个字符
 
红包 添加红包
表情包 插入表情
表情包 代码片
 条评论被折叠 查看
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值