Compare commits
17 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 3c2d810394 | |||
| c62168ca5b | |||
| d0b2b33dce | |||
| 0eaffb37e7 | |||
| e86d88d0cf | |||
| e48d6b039b | |||
| dd3c6892e9 | |||
| c552366a78 | |||
| 7215c72373 | |||
| 4ce7cde155 | |||
| c8342fcfae | |||
| 1b0c4d68da | |||
| b38b495630 | |||
| 5a7f12f1a9 | |||
| c614422f44 | |||
| 3656fa6e0c | |||
| 5b293d2116 |
@@ -1,23 +0,0 @@
|
||||
name: Clean build artifacts
|
||||
on:
|
||||
schedule:
|
||||
- cron: '0 10 * * *' # Once per day at 10am UTC
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
main:
|
||||
runs-on: ubuntu-latest
|
||||
if: ${{ github.repository == 'spring-projects/spring-security' }}
|
||||
permissions:
|
||||
contents: none
|
||||
steps:
|
||||
- name: Delete artifacts in cron job
|
||||
env:
|
||||
GH_ACTIONS_REPO_TOKEN: ${{ secrets.GH_ACTIONS_REPO_TOKEN }}
|
||||
run: |
|
||||
echo "Running clean build artifacts logic"
|
||||
output=$(curl -X GET -H "Authorization: token $GH_ACTIONS_REPO_TOKEN" https://api.github.com/repos/spring-projects/spring-security/actions/artifacts | grep '"id"' | cut -d : -f2 | sed 's/,*$//g')
|
||||
echo Output is $output
|
||||
for id in $output; do curl -X DELETE -H "Authorization: token $GH_ACTIONS_REPO_TOKEN" https://api.github.com/repos/spring-projects/spring-security/actions/artifacts/$id; done;
|
||||
@@ -1,314 +0,0 @@
|
||||
name: CI
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- '**'
|
||||
schedule:
|
||||
- cron: '0 10 * * *' # Once per day at 10am UTC
|
||||
workflow_dispatch: # Manual trigger
|
||||
|
||||
env:
|
||||
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
|
||||
GRADLE_ENTERPRISE_CACHE_USER: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USER }}
|
||||
GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }}
|
||||
GRADLE_ENTERPRISE_SECRET_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_SECRET_ACCESS_KEY }}
|
||||
COMMIT_OWNER: ${{ github.event.pusher.name }}
|
||||
COMMIT_SHA: ${{ github.sha }}
|
||||
STRUCTURE101_LICENSEID: ${{ secrets.STRUCTURE101_LICENSEID }}
|
||||
ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }}
|
||||
ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
prerequisites:
|
||||
name: Pre-requisites for building
|
||||
runs-on: ubuntu-latest
|
||||
if: ${{ github.repository == 'spring-projects/spring-security' }}
|
||||
outputs:
|
||||
runjobs: ${{ steps.continue.outputs.runjobs }}
|
||||
project_version: ${{ steps.continue.outputs.project_version }}
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- id: continue
|
||||
name: Determine if should continue
|
||||
run: |
|
||||
# Run jobs if in upstream repository
|
||||
echo "runjobs=true" >>$GITHUB_OUTPUT
|
||||
# Extract version from gradle.properties
|
||||
version=$(cat gradle.properties | grep "version=" | awk -F'=' '{print $2}')
|
||||
echo "project_version=$version" >>$GITHUB_OUTPUT
|
||||
build_jdk_11:
|
||||
name: Build JDK 11
|
||||
needs: [prerequisites]
|
||||
strategy:
|
||||
matrix:
|
||||
os: [ubuntu-latest, windows-latest]
|
||||
runs-on: ${{ matrix.os }}
|
||||
if: needs.prerequisites.outputs.runjobs
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Set up JDK 11
|
||||
uses: actions/setup-java@v3
|
||||
with:
|
||||
java-version: '11'
|
||||
distribution: 'adopt'
|
||||
cache: 'gradle'
|
||||
- name: Set up Gradle
|
||||
uses: gradle/gradle-build-action@v2
|
||||
- name: Set up gradle user name
|
||||
run: echo 'systemProp.user.name=spring-builds+github' >> gradle.properties
|
||||
- name: Build with Gradle
|
||||
env:
|
||||
GRADLE_ENTERPRISE_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USER }}
|
||||
GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }}
|
||||
GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_SECRET_ACCESS_KEY }}
|
||||
run: ./gradlew clean build --continue -PartifactoryUsername="$ARTIFACTORY_USERNAME" -PartifactoryPassword="$ARTIFACTORY_PASSWORD"
|
||||
snapshot_tests:
|
||||
name: Test against snapshots
|
||||
needs: [prerequisites]
|
||||
runs-on: ubuntu-latest
|
||||
if: needs.prerequisites.outputs.runjobs
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Set up gradle
|
||||
uses: spring-io/spring-gradle-build-action@v1
|
||||
with:
|
||||
java-version: '11'
|
||||
distribution: 'adopt'
|
||||
- name: Snapshot Tests
|
||||
run: |
|
||||
export GRADLE_ENTERPRISE_CACHE_USERNAME="$GRADLE_ENTERPRISE_CACHE_USER"
|
||||
export GRADLE_ENTERPRISE_CACHE_PASSWORD="$GRADLE_ENTERPRISE_CACHE_PASSWORD"
|
||||
export GRADLE_ENTERPRISE_ACCESS_KEY="$GRADLE_ENTERPRISE_SECRET_ACCESS_KEY"
|
||||
./gradlew test --refresh-dependencies -PartifactoryUsername="$ARTIFACTORY_USERNAME" -PartifactoryPassword="$ARTIFACTORY_PASSWORD" -PforceMavenRepositories=snapshot -PspringVersion='5.+' -PreactorVersion='20+' -PspringDataVersion='Neumann-BUILD-SNAPSHOT' -PrsocketVersion=1.1.0-SNAPSHOT -PspringBootVersion=2.4.0-SNAPSHOT -PlocksDisabled --stacktrace
|
||||
check_samples:
|
||||
name: Check Samples project
|
||||
needs: [prerequisites]
|
||||
runs-on: ubuntu-latest
|
||||
if: needs.prerequisites.outputs.runjobs
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Set up gradle
|
||||
uses: spring-io/spring-gradle-build-action@v1
|
||||
with:
|
||||
java-version: '11'
|
||||
distribution: 'adopt'
|
||||
- name: Check samples project
|
||||
env:
|
||||
LOCAL_REPOSITORY_PATH: ${{ github.workspace }}/build/publications/repos
|
||||
SAMPLES_DIR: ../spring-security-samples
|
||||
VERSION: ${{ needs.prerequisites.outputs.project_version }}
|
||||
run: |
|
||||
export GRADLE_ENTERPRISE_CACHE_USERNAME="$GRADLE_ENTERPRISE_CACHE_USER"
|
||||
export GRADLE_ENTERPRISE_CACHE_PASSWORD="$GRADLE_ENTERPRISE_CACHE_PASSWORD"
|
||||
export GRADLE_ENTERPRISE_ACCESS_KEY="$GRADLE_ENTERPRISE_SECRET_ACCESS_KEY"
|
||||
./gradlew publishMavenJavaPublicationToLocalRepository
|
||||
./gradlew cloneSamples -PcloneOutputDirectory="$SAMPLES_DIR"
|
||||
./gradlew --project-dir "$SAMPLES_DIR" --init-script spring-security-ci.gradle -PlocalRepositoryPath="$LOCAL_REPOSITORY_PATH" -PspringSecurityVersion="$VERSION" :runAllTests
|
||||
check_tangles:
|
||||
name: Check for Package Tangles
|
||||
needs: [ prerequisites ]
|
||||
runs-on: ubuntu-latest
|
||||
if: needs.prerequisites.outputs.runjobs
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Set up gradle
|
||||
uses: spring-io/spring-gradle-build-action@v1
|
||||
with:
|
||||
java-version: '11'
|
||||
distribution: 'adopt'
|
||||
- name: Check for package tangles
|
||||
run: |
|
||||
export GRADLE_ENTERPRISE_CACHE_USERNAME="$GRADLE_ENTERPRISE_CACHE_USER"
|
||||
export GRADLE_ENTERPRISE_CACHE_PASSWORD="$GRADLE_ENTERPRISE_CACHE_PASSWORD"
|
||||
export GRADLE_ENTERPRISE_ACCESS_KEY="$GRADLE_ENTERPRISE_SECRET_ACCESS_KEY"
|
||||
./gradlew check s101 -Ps101.licenseId="$STRUCTURE101_LICENSEID" --stacktrace
|
||||
deploy_artifacts:
|
||||
name: Deploy Artifacts
|
||||
needs: [build_jdk_11, snapshot_tests, check_samples, check_tangles]
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Set up gradle
|
||||
uses: spring-io/spring-gradle-build-action@v1
|
||||
with:
|
||||
java-version: '11'
|
||||
distribution: 'adopt'
|
||||
- name: Deploy artifacts
|
||||
run: |
|
||||
export GRADLE_ENTERPRISE_CACHE_USERNAME="$GRADLE_ENTERPRISE_CACHE_USER"
|
||||
export GRADLE_ENTERPRISE_CACHE_PASSWORD="$GRADLE_ENTERPRISE_CACHE_PASSWORD"
|
||||
export GRADLE_ENTERPRISE_ACCESS_KEY="$GRADLE_ENTERPRISE_SECRET_ACCESS_KEY"
|
||||
./gradlew publishArtifacts finalizeDeployArtifacts -PossrhUsername="$OSSRH_TOKEN_USERNAME" -PossrhPassword="$OSSRH_TOKEN_PASSWORD" -PartifactoryUsername="$ARTIFACTORY_USERNAME" -PartifactoryPassword="$ARTIFACTORY_PASSWORD" --stacktrace
|
||||
env:
|
||||
ORG_GRADLE_PROJECT_signingKey: ${{ secrets.GPG_PRIVATE_KEY }}
|
||||
ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.GPG_PASSPHRASE }}
|
||||
OSSRH_TOKEN_USERNAME: ${{ secrets.OSSRH_S01_TOKEN_USERNAME }}
|
||||
OSSRH_TOKEN_PASSWORD: ${{ secrets.OSSRH_S01_TOKEN_PASSWORD }}
|
||||
ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }}
|
||||
ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
|
||||
deploy_docs:
|
||||
name: Deploy Docs
|
||||
needs: [build_jdk_11, snapshot_tests, check_samples, check_tangles]
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Set up gradle
|
||||
uses: spring-io/spring-gradle-build-action@v1
|
||||
with:
|
||||
java-version: '11'
|
||||
distribution: 'adopt'
|
||||
- name: Deploy Docs
|
||||
run: |
|
||||
export GRADLE_ENTERPRISE_CACHE_USERNAME="$GRADLE_ENTERPRISE_CACHE_USER"
|
||||
export GRADLE_ENTERPRISE_CACHE_PASSWORD="$GRADLE_ENTERPRISE_CACHE_PASSWORD"
|
||||
export GRADLE_ENTERPRISE_ACCESS_KEY="$GRADLE_ENTERPRISE_SECRET_ACCESS_KEY"
|
||||
./gradlew deployDocs -PdeployDocsSshKey="$DOCS_SSH_KEY" -PdeployDocsSshUsername="$DOCS_USERNAME" -PdeployDocsHost="$DOCS_HOST" --stacktrace
|
||||
env:
|
||||
DOCS_USERNAME: ${{ secrets.DOCS_USERNAME }}
|
||||
DOCS_SSH_KEY: ${{ secrets.DOCS_SSH_KEY }}
|
||||
DOCS_HOST: ${{ secrets.DOCS_HOST }}
|
||||
deploy_schema:
|
||||
name: Deploy Schema
|
||||
needs: [build_jdk_11, snapshot_tests, check_samples, check_tangles]
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Set up gradle
|
||||
uses: spring-io/spring-gradle-build-action@v1
|
||||
with:
|
||||
java-version: '11'
|
||||
distribution: 'adopt'
|
||||
- name: Deploy Schema
|
||||
run: |
|
||||
export GRADLE_ENTERPRISE_CACHE_USERNAME="$GRADLE_ENTERPRISE_CACHE_USER"
|
||||
export GRADLE_ENTERPRISE_CACHE_PASSWORD="$GRADLE_ENTERPRISE_CACHE_PASSWORD"
|
||||
export GRADLE_ENTERPRISE_ACCESS_KEY="$GRADLE_ENTERPRISE_SECRET_ACCESS_KEY"
|
||||
./gradlew deploySchema -PdeployDocsSshKey="$DOCS_SSH_KEY" -PdeployDocsSshUsername="$DOCS_USERNAME" -PdeployDocsHost="$DOCS_HOST" --stacktrace --info
|
||||
env:
|
||||
DOCS_USERNAME: ${{ secrets.DOCS_USERNAME }}
|
||||
DOCS_SSH_KEY: ${{ secrets.DOCS_SSH_KEY }}
|
||||
DOCS_HOST: ${{ secrets.DOCS_HOST }}
|
||||
perform_release:
|
||||
name: Perform release
|
||||
needs: [prerequisites, deploy_artifacts, deploy_docs, deploy_schema]
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: write
|
||||
timeout-minutes: 90
|
||||
if: ${{ !endsWith(needs.prerequisites.outputs.project_version, '-SNAPSHOT') }}
|
||||
env:
|
||||
REPO: ${{ github.repository }}
|
||||
BRANCH: ${{ github.ref_name }}
|
||||
TOKEN: ${{ github.token }}
|
||||
VERSION: ${{ needs.prerequisites.outputs.project_version }}
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
with:
|
||||
token: ${{ secrets.GH_ACTIONS_REPO_TOKEN }}
|
||||
- name: Set up gradle
|
||||
uses: spring-io/spring-gradle-build-action@v1
|
||||
with:
|
||||
java-version: '11'
|
||||
distribution: 'adopt'
|
||||
- name: Wait for Artifactory Artifacts
|
||||
if: ${{ contains(needs.prerequisites.outputs.project_version, '-RC') || contains(needs.prerequisites.outputs.project_version, '-M') }}
|
||||
run: |
|
||||
echo "Wait for artifacts of $REPO@$VERSION to appear on Artifactory."
|
||||
until curl -f -s https://repo.spring.io/artifactory/milestone/org/springframework/security/spring-security-core/$VERSION/ > /dev/null
|
||||
do
|
||||
sleep 30
|
||||
echo "."
|
||||
done
|
||||
echo "Artifacts for $REPO@$VERSION have been released to Artifactory."
|
||||
- name: Wait for Maven Central Artifacts
|
||||
if: ${{ !contains(needs.prerequisites.outputs.project_version, '-RC') && !contains(needs.prerequisites.outputs.project_version, '-M') }}
|
||||
run: |
|
||||
echo "Wait for artifacts of $REPO@$VERSION to appear on Maven Central."
|
||||
until curl -f -s https://repo1.maven.org/maven2/org/springframework/security/spring-security-core/$VERSION/ > /dev/null
|
||||
do
|
||||
sleep 30
|
||||
echo "."
|
||||
done
|
||||
echo "Artifacts for $REPO@$VERSION have been released to Maven Central."
|
||||
- name: Create GitHub Release
|
||||
run: |
|
||||
export GRADLE_ENTERPRISE_CACHE_USERNAME="$GRADLE_ENTERPRISE_CACHE_USER"
|
||||
export GRADLE_ENTERPRISE_CACHE_PASSWORD="$GRADLE_ENTERPRISE_CACHE_PASSWORD"
|
||||
export GRADLE_ENTERPRISE_ACCESS_KEY="$GRADLE_ENTERPRISE_SECRET_ACCESS_KEY"
|
||||
echo "Tagging and publishing $REPO@$VERSION release on GitHub."
|
||||
./gradlew createGitHubRelease -PnextVersion=$VERSION -Pbranch=$BRANCH -PcreateRelease=true -PgitHubAccessToken=$TOKEN
|
||||
- name: Announce Release on Slack
|
||||
id: spring-security-announcing
|
||||
uses: slackapi/slack-github-action@v1.19.0
|
||||
with:
|
||||
payload: |
|
||||
{
|
||||
"text": "spring-security-announcing `${{ env.VERSION }}` is available now",
|
||||
"blocks": [
|
||||
{
|
||||
"type": "section",
|
||||
"text": {
|
||||
"type": "mrkdwn",
|
||||
"text": "spring-security-announcing `${{ env.VERSION }}` is available now"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
env:
|
||||
SLACK_WEBHOOK_URL: ${{ secrets.SPRING_RELEASE_SLACK_WEBHOOK_URL }}
|
||||
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
|
||||
- name: Setup git config
|
||||
run: |
|
||||
git config user.name 'github-actions[bot]'
|
||||
git config user.email 'github-actions[bot]@users.noreply.github.com'
|
||||
- name: Update to next Snapshot Version
|
||||
run: |
|
||||
export GRADLE_ENTERPRISE_CACHE_USERNAME="$GRADLE_ENTERPRISE_CACHE_USER"
|
||||
export GRADLE_ENTERPRISE_CACHE_PASSWORD="$GRADLE_ENTERPRISE_CACHE_PASSWORD"
|
||||
export GRADLE_ENTERPRISE_ACCESS_KEY="$GRADLE_ENTERPRISE_SECRET_ACCESS_KEY"
|
||||
echo "Updating $REPO@$VERSION to next snapshot version."
|
||||
./gradlew :updateToSnapshotVersion
|
||||
git commit -am "Next development version"
|
||||
git push
|
||||
perform_post_release:
|
||||
name: Perform post-release
|
||||
needs: [prerequisites, deploy_artifacts, deploy_docs, deploy_schema]
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
issues: write
|
||||
timeout-minutes: 90
|
||||
if: ${{ endsWith(needs.prerequisites.outputs.project_version, '-SNAPSHOT') }}
|
||||
env:
|
||||
TOKEN: ${{ github.token }}
|
||||
VERSION: ${{ needs.prerequisites.outputs.project_version }}
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Set up gradle
|
||||
uses: spring-io/spring-gradle-build-action@v1
|
||||
with:
|
||||
java-version: '11'
|
||||
distribution: 'adopt'
|
||||
- name: Schedule next release (if not already scheduled)
|
||||
run: ./gradlew scheduleNextRelease -PnextVersion=$VERSION -PgitHubAccessToken=$TOKEN
|
||||
notify_result:
|
||||
name: Check for failures
|
||||
needs: [perform_release, perform_post_release]
|
||||
if: failure()
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
actions: read
|
||||
steps:
|
||||
- name: Send Slack message
|
||||
# Workaround while waiting for Gamesight/slack-workflow-status#38 to be fixed
|
||||
# See https://github.com/Gamesight/slack-workflow-status/issues/38
|
||||
uses: sjohnr/slack-workflow-status@v1-beta
|
||||
with:
|
||||
repo_token: ${{ secrets.GITHUB_TOKEN }}
|
||||
slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}
|
||||
channel: '#spring-security-ci'
|
||||
name: 'CI Notifier'
|
||||
@@ -1,31 +0,0 @@
|
||||
name: Deploy Docs
|
||||
on:
|
||||
push:
|
||||
branches-ignore: [ gh-pages ]
|
||||
tags: '**'
|
||||
repository_dispatch:
|
||||
types: request-build-reference # legacy
|
||||
schedule:
|
||||
- cron: '0 10 * * *' # Once per day at 10am UTC
|
||||
workflow_dispatch:
|
||||
permissions: read-all
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
if: github.repository_owner == 'spring-projects'
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v3
|
||||
with:
|
||||
ref: docs-build
|
||||
fetch-depth: 1
|
||||
- name: Dispatch (partial build)
|
||||
if: github.ref_type == 'branch'
|
||||
env:
|
||||
GH_TOKEN: ${{ secrets.GH_ACTIONS_REPO_TOKEN }}
|
||||
run: gh workflow run deploy-docs.yml -r $(git rev-parse --abbrev-ref HEAD) -f build-refname=${{ github.ref_name }}
|
||||
- name: Dispatch (full build)
|
||||
if: github.ref_type == 'tag'
|
||||
env:
|
||||
GH_TOKEN: ${{ secrets.GH_ACTIONS_REPO_TOKEN }}
|
||||
run: gh workflow run deploy-docs.yml -r $(git rev-parse --abbrev-ref HEAD)
|
||||
@@ -1,40 +0,0 @@
|
||||
name: Check Milestone
|
||||
on:
|
||||
milestone:
|
||||
types: [created, opened, edited]
|
||||
env:
|
||||
DUE_ON: ${{ github.event.milestone.due_on }}
|
||||
TITLE: ${{ github.event.milestone.title }}
|
||||
permissions:
|
||||
contents: read
|
||||
jobs:
|
||||
spring-releasetrain-checks:
|
||||
name: Check DueOn is on a Release Date
|
||||
runs-on: ubuntu-latest
|
||||
if: ${{ github.repository == 'spring-projects/spring-security' }}
|
||||
permissions:
|
||||
contents: none
|
||||
steps:
|
||||
- name: Print Milestone Being Checked
|
||||
run: echo "Validating DueOn '$DUE_ON' for milestone '$TITLE'"
|
||||
- name: Validate DueOn
|
||||
if: env.DUE_ON != ''
|
||||
run: |
|
||||
export TOOL_VERSION=0.1.1
|
||||
wget "https://repo.maven.apache.org/maven2/io/spring/releasetrain/spring-release-train-tools/$TOOL_VERSION/spring-release-train-tools-$TOOL_VERSION.jar"
|
||||
java -cp "spring-release-train-tools-$TOOL_VERSION.jar" io.spring.releasetrain.CheckMilestoneDueOnMain --dueOn "$DUE_ON" --expectedDayOfWeek MONDAY --expectedMondayCount 3
|
||||
notify_result:
|
||||
name: Check for failures
|
||||
needs: [spring-releasetrain-checks]
|
||||
if: failure()
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
actions: read
|
||||
steps:
|
||||
- name: Send Slack message
|
||||
uses: Gamesight/slack-workflow-status@v1.0.1
|
||||
with:
|
||||
repo_token: ${{ secrets.GITHUB_TOKEN }}
|
||||
slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}
|
||||
channel: '#spring-security-ci'
|
||||
name: 'CI Notifier'
|
||||
@@ -1,21 +0,0 @@
|
||||
name: PR Build
|
||||
|
||||
on: pull_request
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-latest
|
||||
if: ${{ github.repository == 'spring-projects/spring-security' }}
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Set up gradle
|
||||
uses: spring-io/spring-gradle-build-action@v1
|
||||
with:
|
||||
java-version: '11'
|
||||
distribution: 'adopt'
|
||||
- name: Build with Gradle
|
||||
run: ./gradlew clean build --continue --scan
|
||||
@@ -1,80 +0,0 @@
|
||||
name: Update Scheduled Release Version
|
||||
|
||||
on:
|
||||
workflow_dispatch: # Manual trigger only. Triggered by release-scheduler.yml on main.
|
||||
|
||||
env:
|
||||
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
|
||||
GRADLE_ENTERPRISE_CACHE_USER: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USER }}
|
||||
GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }}
|
||||
GRADLE_ENTERPRISE_SECRET_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_SECRET_ACCESS_KEY }}
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
update_scheduled_release_version:
|
||||
name: Initiate Release If Scheduled
|
||||
if: ${{ github.repository == 'spring-projects/spring-security' }}
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
actions: read
|
||||
steps:
|
||||
- id: checkout-source
|
||||
name: Checkout Source Code
|
||||
uses: actions/checkout@v3
|
||||
with:
|
||||
token: ${{ secrets.GH_ACTIONS_REPO_TOKEN }}
|
||||
- name: Set up gradle
|
||||
uses: spring-io/spring-gradle-build-action@v1
|
||||
with:
|
||||
java-version: '11'
|
||||
distribution: 'adopt'
|
||||
- id: check-release-due
|
||||
name: Check Release Due
|
||||
run: |
|
||||
export GRADLE_ENTERPRISE_CACHE_USERNAME="$GRADLE_ENTERPRISE_CACHE_USER"
|
||||
export GRADLE_ENTERPRISE_CACHE_PASSWORD="$GRADLE_ENTERPRISE_CACHE_PASSWORD"
|
||||
export GRADLE_ENTERPRISE_ACCESS_KEY="$GRADLE_ENTERPRISE_SECRET_ACCESS_KEY"
|
||||
./gradlew gitHubCheckNextVersionDueToday
|
||||
echo "is_due_today=$(cat build/github/milestones/is-due-today)" >>$GITHUB_OUTPUT
|
||||
- id: check-open-issues
|
||||
name: Check for open issues
|
||||
if: steps.check-release-due.outputs.is_due_today == 'true'
|
||||
run: |
|
||||
export GRADLE_ENTERPRISE_CACHE_USERNAME="$GRADLE_ENTERPRISE_CACHE_USER"
|
||||
export GRADLE_ENTERPRISE_CACHE_PASSWORD="$GRADLE_ENTERPRISE_CACHE_PASSWORD"
|
||||
export GRADLE_ENTERPRISE_ACCESS_KEY="$GRADLE_ENTERPRISE_SECRET_ACCESS_KEY"
|
||||
./gradlew gitHubCheckMilestoneHasNoOpenIssues
|
||||
echo "is_open_issues=$(cat build/github/milestones/is-open-issues)" >>$GITHUB_OUTPUT
|
||||
- id: validate-release-state
|
||||
name: Validate State of Release
|
||||
if: steps.check-release-due.outputs.is_due_today == 'true' && steps.check-open-issues.outputs.is_open_issues == 'true'
|
||||
run: |
|
||||
echo "The release is due today but there are open issues"
|
||||
exit 1
|
||||
- id: update-version-and-push
|
||||
name: Update version and push
|
||||
if: steps.check-release-due.outputs.is_due_today == 'true' && steps.check-open-issues.outputs.is_open_issues == 'false'
|
||||
run: |
|
||||
export GRADLE_ENTERPRISE_CACHE_USERNAME="$GRADLE_ENTERPRISE_CACHE_USER"
|
||||
export GRADLE_ENTERPRISE_CACHE_PASSWORD="$GRADLE_ENTERPRISE_CACHE_PASSWORD"
|
||||
export GRADLE_ENTERPRISE_ACCESS_KEY="$GRADLE_ENTERPRISE_SECRET_ACCESS_KEY"
|
||||
git config user.name 'github-actions[bot]'
|
||||
git config user.email 'github-actions[bot]@users.noreply.github.com'
|
||||
./gradlew :updateProjectVersion
|
||||
updatedVersion=$(cat gradle.properties | grep "version=" | awk -F'=' '{print $2}')
|
||||
git commit -am "Release $updatedVersion"
|
||||
git tag $updatedVersion
|
||||
git push
|
||||
git push origin $updatedVersion
|
||||
- id: send-slack-notification
|
||||
name: Send Slack message
|
||||
if: failure()
|
||||
uses: Gamesight/slack-workflow-status@v1.0.1
|
||||
with:
|
||||
repo_token: ${{ secrets.GITHUB_TOKEN }}
|
||||
slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}
|
||||
channel: '#spring-security-ci'
|
||||
name: 'CI Notifier'
|
||||
@@ -28,3 +28,5 @@ s101plugin.state
|
||||
|
||||
!.idea/checkstyle-idea.xml
|
||||
!.idea/externalDependencies.xml
|
||||
|
||||
node_modules
|
||||
|
||||
@@ -4,6 +4,7 @@ import org.gradle.api.Plugin
|
||||
import org.gradle.api.Project
|
||||
import org.gradle.api.plugins.JavaPlugin
|
||||
import org.gradle.api.tasks.bundling.Zip
|
||||
import org.springframework.gradle.xsd.CreateVersionlessXsdTask
|
||||
|
||||
public class SchemaZipPlugin implements Plugin<Project> {
|
||||
|
||||
@@ -15,7 +16,10 @@ public class SchemaZipPlugin implements Plugin<Project> {
|
||||
schemaZip.archiveClassifier = 'schema'
|
||||
schemaZip.description = "Builds -${schemaZip.archiveClassifier} archive containing all " +
|
||||
"XSDs for deployment at static.springframework.org/schema."
|
||||
|
||||
def versionlessXsd = project.tasks.create("versionlessXsd", CreateVersionlessXsdTask) {
|
||||
description = "Generates spring-security.xsd"
|
||||
versionlessXsdFile = project.layout.buildDirectory.file("versionlessXsd/spring-security.xsd")
|
||||
}
|
||||
project.rootProject.subprojects.each { module ->
|
||||
|
||||
module.getPlugins().withType(JavaPlugin.class).all {
|
||||
@@ -36,17 +40,14 @@ public class SchemaZipPlugin implements Plugin<Project> {
|
||||
duplicatesStrategy 'exclude'
|
||||
from xsdFile.path
|
||||
}
|
||||
}
|
||||
File symlink = module.sourceSets.main.resources.find {
|
||||
it.path.endsWith('org/springframework/security/config/spring-security.xsd')
|
||||
}
|
||||
if (symlink != null) {
|
||||
schemaZip.into('security') {
|
||||
duplicatesStrategy 'exclude'
|
||||
from symlink.path
|
||||
}
|
||||
versionlessXsd.getInputFiles().from(xsdFile.path)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
schemaZip.into("security") {
|
||||
from(versionlessXsd.getOutputs())
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,147 @@
|
||||
/*
|
||||
* Copyright 2019-2023 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.gradle.xsd;
|
||||
|
||||
import org.gradle.api.DefaultTask;
|
||||
import org.gradle.api.file.ConfigurableFileCollection;
|
||||
import org.gradle.api.file.RegularFileProperty;
|
||||
import org.gradle.api.tasks.*;
|
||||
import org.gradle.work.DisableCachingByDefault;
|
||||
|
||||
import java.io.File;
|
||||
import java.io.IOException;
|
||||
import java.nio.file.Files;
|
||||
import java.nio.file.Path;
|
||||
import java.nio.file.StandardCopyOption;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
/**
|
||||
* Creates the spring-security.xsd automatically
|
||||
*
|
||||
* @author Rob Winch
|
||||
*/
|
||||
@DisableCachingByDefault(because = "not worth it")
|
||||
public abstract class CreateVersionlessXsdTask extends DefaultTask {
|
||||
|
||||
@InputFiles
|
||||
public abstract ConfigurableFileCollection getInputFiles();
|
||||
|
||||
@OutputFile
|
||||
abstract RegularFileProperty getVersionlessXsdFile();
|
||||
|
||||
@TaskAction
|
||||
void createVersionlessXsd() throws IOException {
|
||||
XsdFileMajorMinorVersion largest = null;
|
||||
ConfigurableFileCollection inputFiles = getInputFiles();
|
||||
if (inputFiles.isEmpty()) {
|
||||
throw new IllegalStateException("No Inputs configured");
|
||||
}
|
||||
for (File file : inputFiles) {
|
||||
XsdFileMajorMinorVersion current = XsdFileMajorMinorVersion.create(file);
|
||||
if (current == null) {
|
||||
continue;
|
||||
}
|
||||
if (largest == null) {
|
||||
largest = current;
|
||||
}
|
||||
else if (current.getVersion().isGreaterThan(largest.getVersion())) {
|
||||
largest = current;
|
||||
}
|
||||
}
|
||||
if (largest == null) {
|
||||
throw new IllegalStateException("Could not create versionless xsd file because no files matching spring-security-<digit>.xsd were found in " + inputFiles.getFiles());
|
||||
}
|
||||
Path to = getVersionlessXsdFile().getAsFile().get().toPath();
|
||||
Path from = largest.getFile().toPath();
|
||||
Files.copy(from, to, StandardCopyOption.REPLACE_EXISTING, StandardCopyOption.COPY_ATTRIBUTES);
|
||||
}
|
||||
|
||||
static class XsdFileMajorMinorVersion {
|
||||
private final File file;
|
||||
|
||||
private final MajorMinorVersion version;
|
||||
|
||||
private XsdFileMajorMinorVersion(File file, MajorMinorVersion version) {
|
||||
this.file = file;
|
||||
this.version = version;
|
||||
}
|
||||
|
||||
private static final Pattern FILE_MAJOR_MINOR_VERSION_PATTERN = Pattern.compile("^spring-security-(\\d+)\\.(\\d+)\\.xsd$");
|
||||
|
||||
/**
|
||||
* If matches xsd with major minor version (e.g. spring-security-5.1.xsd returns it, otherwise null
|
||||
* @param file
|
||||
* @return
|
||||
*/
|
||||
static XsdFileMajorMinorVersion create(File file) {
|
||||
String fileName = file.getName();
|
||||
Matcher matcher = FILE_MAJOR_MINOR_VERSION_PATTERN.matcher(fileName);
|
||||
if (!matcher.find()) {
|
||||
return null;
|
||||
}
|
||||
int major = Integer.parseInt(matcher.group(1));
|
||||
int minor = Integer.parseInt(matcher.group(2));
|
||||
MajorMinorVersion version = new MajorMinorVersion(major, minor);
|
||||
return new XsdFileMajorMinorVersion(file, version);
|
||||
}
|
||||
|
||||
public File getFile() {
|
||||
return file;
|
||||
}
|
||||
|
||||
public MajorMinorVersion getVersion() {
|
||||
return version;
|
||||
}
|
||||
}
|
||||
|
||||
static class MajorMinorVersion {
|
||||
private final int major;
|
||||
|
||||
private final int minor;
|
||||
|
||||
MajorMinorVersion(int major, int minor) {
|
||||
this.major = major;
|
||||
this.minor = minor;
|
||||
}
|
||||
|
||||
public int getMajor() {
|
||||
return major;
|
||||
}
|
||||
|
||||
public int getMinor() {
|
||||
return minor;
|
||||
}
|
||||
|
||||
public boolean isGreaterThan(MajorMinorVersion version) {
|
||||
if (getMajor() > version.getMajor()) {
|
||||
return true;
|
||||
}
|
||||
if (getMajor() < version.getMajor()) {
|
||||
return false;
|
||||
}
|
||||
if (getMinor() > version.getMinor()) {
|
||||
return true;
|
||||
}
|
||||
if (getMinor() < version.getMinor()) {
|
||||
return false;
|
||||
}
|
||||
// they are equal
|
||||
return false;
|
||||
}
|
||||
}
|
||||
}
|
||||
+94
@@ -0,0 +1,94 @@
|
||||
/*
|
||||
* Copyright 2019-2023 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.gradle.xsd;
|
||||
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.springframework.gradle.xsd.CreateVersionlessXsdTask.MajorMinorVersion;
|
||||
import org.springframework.gradle.xsd.CreateVersionlessXsdTask.XsdFileMajorMinorVersion;
|
||||
|
||||
import java.io.File;
|
||||
|
||||
import static org.assertj.core.api.AssertionsForClassTypes.assertThat;
|
||||
|
||||
/**
|
||||
* @author Rob Winch
|
||||
*/
|
||||
class CreateVersionlessXsdTaskTests {
|
||||
|
||||
@Test
|
||||
void xsdCreateWhenValid() {
|
||||
File file = new File("spring-security-2.0.xsd");
|
||||
XsdFileMajorMinorVersion xsdFile = XsdFileMajorMinorVersion.create(file);
|
||||
assertThat(xsdFile).isNotNull();
|
||||
assertThat(xsdFile.getFile()).isEqualTo(file);
|
||||
assertThat(xsdFile.getVersion().getMajor()).isEqualTo(2);
|
||||
assertThat(xsdFile.getVersion().getMinor()).isEqualTo(0);
|
||||
}
|
||||
|
||||
@Test
|
||||
void xsdCreateWhenPatchReleaseThenNull() {
|
||||
File file = new File("spring-security-2.0.1.xsd");
|
||||
XsdFileMajorMinorVersion xsdFile = XsdFileMajorMinorVersion.create(file);
|
||||
assertThat(xsdFile).isNull();
|
||||
}
|
||||
|
||||
@Test
|
||||
void xsdCreateWhenNotXsdFileThenNull() {
|
||||
File file = new File("spring-security-2.0.txt");
|
||||
XsdFileMajorMinorVersion xsdFile = XsdFileMajorMinorVersion.create(file);
|
||||
assertThat(xsdFile).isNull();
|
||||
}
|
||||
|
||||
@Test
|
||||
void xsdCreateWhenNotStartWithSpringSecurityThenNull() {
|
||||
File file = new File("spring-securityNO-2.0.xsd");
|
||||
XsdFileMajorMinorVersion xsdFile = XsdFileMajorMinorVersion.create(file);
|
||||
assertThat(xsdFile).isNull();
|
||||
}
|
||||
|
||||
@Test
|
||||
void isGreaterWhenMajorLarger() {
|
||||
MajorMinorVersion larger = new MajorMinorVersion(2,0);
|
||||
MajorMinorVersion smaller = new MajorMinorVersion(1,0);
|
||||
assertThat(larger.isGreaterThan(smaller)).isTrue();
|
||||
assertThat(smaller.isGreaterThan(larger)).isFalse();
|
||||
}
|
||||
|
||||
@Test
|
||||
void isGreaterWhenMinorLarger() {
|
||||
MajorMinorVersion larger = new MajorMinorVersion(1,1);
|
||||
MajorMinorVersion smaller = new MajorMinorVersion(1,0);
|
||||
assertThat(larger.isGreaterThan(smaller)).isTrue();
|
||||
assertThat(smaller.isGreaterThan(larger)).isFalse();
|
||||
}
|
||||
|
||||
@Test
|
||||
void isGreaterWhenMajorAndMinorLarger() {
|
||||
MajorMinorVersion larger = new MajorMinorVersion(2,1);
|
||||
MajorMinorVersion smaller = new MajorMinorVersion(1,0);
|
||||
assertThat(larger.isGreaterThan(smaller)).isTrue();
|
||||
assertThat(smaller.isGreaterThan(larger)).isFalse();
|
||||
}
|
||||
|
||||
@Test
|
||||
void isGreaterWhenSame() {
|
||||
MajorMinorVersion first = new MajorMinorVersion(1,0);
|
||||
MajorMinorVersion second = new MajorMinorVersion(1,0);
|
||||
assertThat(first.isGreaterThan(second)).isFalse();
|
||||
assertThat(second.isGreaterThan(first)).isFalse();
|
||||
}
|
||||
}
|
||||
+3
-1
@@ -18,6 +18,7 @@ package org.springframework.security.cas.userdetails;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.Locale;
|
||||
|
||||
import org.jasig.cas.client.validation.Assertion;
|
||||
|
||||
@@ -73,7 +74,8 @@ public final class GrantedAuthorityFromAssertionAttributesUserDetailsService
|
||||
}
|
||||
|
||||
private SimpleGrantedAuthority createSimpleGrantedAuthority(Object o) {
|
||||
return new SimpleGrantedAuthority(this.convertToUpperCase ? o.toString().toUpperCase() : o.toString());
|
||||
return new SimpleGrantedAuthority(
|
||||
this.convertToUpperCase ? o.toString().toUpperCase(Locale.ROOT) : o.toString());
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
import org.jetbrains.kotlin.gradle.tasks.KotlinCompile
|
||||
import org.springframework.gradle.xsd.CreateVersionlessXsdTask
|
||||
|
||||
apply plugin: 'io.spring.convention.spring-module'
|
||||
apply plugin: 'trang'
|
||||
@@ -113,6 +114,16 @@ dependencies {
|
||||
testRuntimeOnly 'org.hsqldb:hsqldb'
|
||||
}
|
||||
|
||||
def versionlessXsd = project.tasks.create("versionlessXsd", CreateVersionlessXsdTask) {
|
||||
inputFiles.from(project.sourceSets.main.resources)
|
||||
versionlessXsdFile = project.layout.buildDirectory.file("versionlessXsd/spring-security.xsd")
|
||||
}
|
||||
|
||||
processResources {
|
||||
from(versionlessXsd) {
|
||||
into 'org/springframework/security/config/'
|
||||
}
|
||||
}
|
||||
|
||||
rncToXsd {
|
||||
rncDir = file('src/main/resources/org/springframework/security/config/')
|
||||
|
||||
+9
-2
@@ -19,6 +19,7 @@ package org.springframework.security.config.annotation.web.reactive;
|
||||
import java.util.Arrays;
|
||||
import java.util.List;
|
||||
|
||||
import org.springframework.beans.factory.ObjectProvider;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.beans.factory.config.BeanFactoryPostProcessor;
|
||||
import org.springframework.context.ApplicationContext;
|
||||
@@ -30,6 +31,8 @@ import org.springframework.security.config.web.server.ServerHttpSecurity;
|
||||
import org.springframework.security.web.reactive.result.view.CsrfRequestDataValueProcessor;
|
||||
import org.springframework.security.web.server.SecurityWebFilterChain;
|
||||
import org.springframework.security.web.server.WebFilterChainProxy;
|
||||
import org.springframework.security.web.server.firewall.ServerExchangeRejectedHandler;
|
||||
import org.springframework.security.web.server.firewall.ServerWebExchangeFirewall;
|
||||
import org.springframework.util.ClassUtils;
|
||||
import org.springframework.util.ObjectUtils;
|
||||
import org.springframework.web.reactive.result.view.AbstractView;
|
||||
@@ -65,8 +68,12 @@ class WebFluxSecurityConfiguration {
|
||||
|
||||
@Bean(SPRING_SECURITY_WEBFILTERCHAINFILTER_BEAN_NAME)
|
||||
@Order(WEB_FILTER_CHAIN_FILTER_ORDER)
|
||||
WebFilterChainProxy springSecurityWebFilterChainFilter() {
|
||||
return new WebFilterChainProxy(getSecurityWebFilterChains());
|
||||
WebFilterChainProxy springSecurityWebFilterChainFilter(ObjectProvider<ServerWebExchangeFirewall> firewall,
|
||||
ObjectProvider<ServerExchangeRejectedHandler> rejectedHandler) {
|
||||
WebFilterChainProxy webFilterChainProxy = new WebFilterChainProxy(getSecurityWebFilterChains());
|
||||
firewall.ifUnique(webFilterChainProxy::setFirewall);
|
||||
rejectedHandler.ifUnique(webFilterChainProxy::setExchangeRejectedHandler);
|
||||
return webFilterChainProxy;
|
||||
}
|
||||
|
||||
@Bean(name = AbstractView.REQUEST_DATA_VALUE_PROCESSOR_BEAN_NAME)
|
||||
|
||||
+3
-2
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2021 the original author or authors.
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -18,6 +18,7 @@ package org.springframework.security.config.http;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.Locale;
|
||||
|
||||
import javax.servlet.ServletRequest;
|
||||
|
||||
@@ -286,7 +287,7 @@ class HttpConfigurationBuilder {
|
||||
|
||||
// Needed to account for placeholders
|
||||
static String createPath(String path, boolean lowerCase) {
|
||||
return lowerCase ? path.toLowerCase() : path;
|
||||
return lowerCase ? path.toLowerCase(Locale.ENGLISH) : path;
|
||||
}
|
||||
|
||||
BeanReference getSecurityContextRepositoryForAuthenticationFilters() {
|
||||
|
||||
@@ -1 +0,0 @@
|
||||
spring-security-5.7.xsd
|
||||
+72
@@ -16,14 +16,26 @@
|
||||
|
||||
package org.springframework.security.config.annotation.web.reactive;
|
||||
|
||||
import java.util.Collections;
|
||||
|
||||
import org.jetbrains.annotations.NotNull;
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.junit.jupiter.api.extension.ExtendWith;
|
||||
import reactor.core.publisher.Mono;
|
||||
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
|
||||
import org.springframework.mock.web.server.MockServerWebExchange;
|
||||
import org.springframework.security.config.test.SpringTestContext;
|
||||
import org.springframework.security.config.test.SpringTestContextExtension;
|
||||
import org.springframework.security.config.users.ReactiveAuthenticationTestConfiguration;
|
||||
import org.springframework.security.web.server.WebFilterChainProxy;
|
||||
import org.springframework.security.web.server.firewall.HttpStatusExchangeRejectedHandler;
|
||||
import org.springframework.security.web.server.firewall.ServerExchangeRejectedHandler;
|
||||
import org.springframework.security.web.server.firewall.ServerWebExchangeFirewall;
|
||||
import org.springframework.web.server.handler.DefaultWebFilterChain;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
|
||||
@@ -45,6 +57,40 @@ public class WebFluxSecurityConfigurationTests {
|
||||
assertThat(webFilterChainProxy).isNotNull();
|
||||
}
|
||||
|
||||
@Test
|
||||
void loadConfigWhenDefaultThenFirewalled() throws Exception {
|
||||
this.spring.register(ServerHttpSecurityConfiguration.class, ReactiveAuthenticationTestConfiguration.class,
|
||||
WebFluxSecurityConfiguration.class).autowire();
|
||||
WebFilterChainProxy webFilterChainProxy = this.spring.getContext().getBean(WebFilterChainProxy.class);
|
||||
MockServerWebExchange exchange = MockServerWebExchange.from(MockServerHttpRequest.get("/;/").build());
|
||||
DefaultWebFilterChain chain = emptyChain();
|
||||
webFilterChainProxy.filter(exchange, chain).block();
|
||||
assertThat(exchange.getResponse().getStatusCode()).isEqualTo(HttpStatus.BAD_REQUEST);
|
||||
}
|
||||
|
||||
@Test
|
||||
void loadConfigWhenCustomRejectedHandler() throws Exception {
|
||||
this.spring.register(ServerHttpSecurityConfiguration.class, ReactiveAuthenticationTestConfiguration.class,
|
||||
WebFluxSecurityConfiguration.class, CustomServerExchangeRejectedHandlerConfig.class).autowire();
|
||||
WebFilterChainProxy webFilterChainProxy = this.spring.getContext().getBean(WebFilterChainProxy.class);
|
||||
MockServerWebExchange exchange = MockServerWebExchange.from(MockServerHttpRequest.get("/;/").build());
|
||||
DefaultWebFilterChain chain = emptyChain();
|
||||
webFilterChainProxy.filter(exchange, chain).block();
|
||||
assertThat(exchange.getResponse().getStatusCode())
|
||||
.isEqualTo(CustomServerExchangeRejectedHandlerConfig.EXPECTED_STATUS);
|
||||
}
|
||||
|
||||
@Test
|
||||
void loadConfigWhenFirewallBeanThenCustomized() throws Exception {
|
||||
this.spring.register(ServerHttpSecurityConfiguration.class, ReactiveAuthenticationTestConfiguration.class,
|
||||
WebFluxSecurityConfiguration.class, NoOpFirewallConfig.class).autowire();
|
||||
WebFilterChainProxy webFilterChainProxy = this.spring.getContext().getBean(WebFilterChainProxy.class);
|
||||
MockServerWebExchange exchange = MockServerWebExchange.from(MockServerHttpRequest.get("/;/").build());
|
||||
DefaultWebFilterChain chain = emptyChain();
|
||||
webFilterChainProxy.filter(exchange, chain).block();
|
||||
assertThat(exchange.getResponse().getStatusCode()).isNotEqualTo(HttpStatus.BAD_REQUEST);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void loadConfigWhenBeanProxyingEnabledAndSubclassThenWebFilterChainProxyExists() {
|
||||
this.spring.register(ServerHttpSecurityConfiguration.class, ReactiveAuthenticationTestConfiguration.class,
|
||||
@@ -53,6 +99,32 @@ public class WebFluxSecurityConfigurationTests {
|
||||
assertThat(webFilterChainProxy).isNotNull();
|
||||
}
|
||||
|
||||
private static @NotNull DefaultWebFilterChain emptyChain() {
|
||||
return new DefaultWebFilterChain((webExchange) -> Mono.empty(), Collections.emptyList());
|
||||
}
|
||||
|
||||
@Configuration
|
||||
static class NoOpFirewallConfig {
|
||||
|
||||
@Bean
|
||||
ServerWebExchangeFirewall noOpFirewall() {
|
||||
return ServerWebExchangeFirewall.INSECURE_NOOP;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@Configuration
|
||||
static class CustomServerExchangeRejectedHandlerConfig {
|
||||
|
||||
static HttpStatus EXPECTED_STATUS = HttpStatus.I_AM_A_TEAPOT;
|
||||
|
||||
@Bean
|
||||
ServerExchangeRejectedHandler rejectedHandler() {
|
||||
return new HttpStatusExchangeRejectedHandler(EXPECTED_STATUS);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@Configuration
|
||||
static class SubclassConfig extends WebFluxSecurityConfiguration {
|
||||
|
||||
|
||||
@@ -57,7 +57,7 @@ public class AuthenticatedVoter implements AccessDecisionVoter<Object> {
|
||||
private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
|
||||
|
||||
private boolean isFullyAuthenticated(Authentication authentication) {
|
||||
return (!this.authenticationTrustResolver.isAnonymous(authentication)
|
||||
return authentication != null && (!this.authenticationTrustResolver.isAnonymous(authentication)
|
||||
&& !this.authenticationTrustResolver.isRememberMe(authentication));
|
||||
}
|
||||
|
||||
|
||||
+3
-3
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2016 the original author or authors.
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -79,10 +79,10 @@ public class SimpleAttributes2GrantedAuthoritiesMapper
|
||||
*/
|
||||
private GrantedAuthority getGrantedAuthority(String attribute) {
|
||||
if (isConvertAttributeToLowerCase()) {
|
||||
attribute = attribute.toLowerCase(Locale.getDefault());
|
||||
attribute = attribute.toLowerCase(Locale.ROOT);
|
||||
}
|
||||
else if (isConvertAttributeToUpperCase()) {
|
||||
attribute = attribute.toUpperCase(Locale.getDefault());
|
||||
attribute = attribute.toUpperCase(Locale.ROOT);
|
||||
}
|
||||
if (isAddPrefixIfAlreadyExisting() || !attribute.startsWith(getAttributePrefix())) {
|
||||
return new SimpleGrantedAuthority(getAttributePrefix() + attribute);
|
||||
|
||||
+4
-3
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2016 the original author or authors.
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -18,6 +18,7 @@ package org.springframework.security.core.authority.mapping;
|
||||
|
||||
import java.util.Collection;
|
||||
import java.util.HashSet;
|
||||
import java.util.Locale;
|
||||
import java.util.Set;
|
||||
|
||||
import org.springframework.beans.factory.InitializingBean;
|
||||
@@ -71,10 +72,10 @@ public final class SimpleAuthorityMapper implements GrantedAuthoritiesMapper, In
|
||||
|
||||
private GrantedAuthority mapAuthority(String name) {
|
||||
if (this.convertToUpperCase) {
|
||||
name = name.toUpperCase();
|
||||
name = name.toUpperCase(Locale.ROOT);
|
||||
}
|
||||
else if (this.convertToLowerCase) {
|
||||
name = name.toLowerCase();
|
||||
name = name.toLowerCase(Locale.ROOT);
|
||||
}
|
||||
if (this.prefix.length() > 0 && !name.startsWith(this.prefix)) {
|
||||
name = this.prefix + name;
|
||||
|
||||
+3
-2
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2017 the original author or authors.
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -18,6 +18,7 @@ package org.springframework.security.core.userdetails;
|
||||
|
||||
import java.util.Arrays;
|
||||
import java.util.Collection;
|
||||
import java.util.Locale;
|
||||
import java.util.Map;
|
||||
import java.util.concurrent.ConcurrentHashMap;
|
||||
|
||||
@@ -91,7 +92,7 @@ public class MapReactiveUserDetailsService implements ReactiveUserDetailsService
|
||||
}
|
||||
|
||||
private String getKey(String username) {
|
||||
return username.toLowerCase();
|
||||
return username.toLowerCase(Locale.ROOT);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
+3
-2
@@ -19,6 +19,7 @@ package org.springframework.security.core.userdetails.memory;
|
||||
import java.beans.PropertyEditorSupport;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.Locale;
|
||||
|
||||
import org.springframework.util.StringUtils;
|
||||
|
||||
@@ -45,10 +46,10 @@ public class UserAttributeEditor extends PropertyEditorSupport {
|
||||
userAttrib.setPassword(currentToken);
|
||||
}
|
||||
else {
|
||||
if (currentToken.toLowerCase().equals("enabled")) {
|
||||
if (currentToken.toLowerCase(Locale.ENGLISH).equals("enabled")) {
|
||||
userAttrib.setEnabled(true);
|
||||
}
|
||||
else if (currentToken.toLowerCase().equals("disabled")) {
|
||||
else if (currentToken.toLowerCase(Locale.ENGLISH).equals("disabled")) {
|
||||
userAttrib.setEnabled(false);
|
||||
}
|
||||
else {
|
||||
|
||||
+8
-7
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -19,6 +19,7 @@ package org.springframework.security.provisioning;
|
||||
import java.util.Collection;
|
||||
import java.util.Enumeration;
|
||||
import java.util.HashMap;
|
||||
import java.util.Locale;
|
||||
import java.util.Map;
|
||||
import java.util.Properties;
|
||||
|
||||
@@ -92,23 +93,23 @@ public class InMemoryUserDetailsManager implements UserDetailsManager, UserDetai
|
||||
@Override
|
||||
public void createUser(UserDetails user) {
|
||||
Assert.isTrue(!userExists(user.getUsername()), "user should not exist");
|
||||
this.users.put(user.getUsername().toLowerCase(), new MutableUser(user));
|
||||
this.users.put(user.getUsername().toLowerCase(Locale.ROOT), new MutableUser(user));
|
||||
}
|
||||
|
||||
@Override
|
||||
public void deleteUser(String username) {
|
||||
this.users.remove(username.toLowerCase());
|
||||
this.users.remove(username.toLowerCase(Locale.ROOT));
|
||||
}
|
||||
|
||||
@Override
|
||||
public void updateUser(UserDetails user) {
|
||||
Assert.isTrue(userExists(user.getUsername()), "user should exist");
|
||||
this.users.put(user.getUsername().toLowerCase(), new MutableUser(user));
|
||||
this.users.put(user.getUsername().toLowerCase(Locale.ROOT), new MutableUser(user));
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean userExists(String username) {
|
||||
return this.users.containsKey(username.toLowerCase());
|
||||
return this.users.containsKey(username.toLowerCase(Locale.ROOT));
|
||||
}
|
||||
|
||||
@Override
|
||||
@@ -139,14 +140,14 @@ public class InMemoryUserDetailsManager implements UserDetailsManager, UserDetai
|
||||
@Override
|
||||
public UserDetails updatePassword(UserDetails user, String newPassword) {
|
||||
String username = user.getUsername();
|
||||
MutableUserDetails mutableUser = this.users.get(username.toLowerCase());
|
||||
MutableUserDetails mutableUser = this.users.get(username.toLowerCase(Locale.ROOT));
|
||||
mutableUser.setPassword(newPassword);
|
||||
return mutableUser;
|
||||
}
|
||||
|
||||
@Override
|
||||
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
|
||||
UserDetails user = this.users.get(username.toLowerCase());
|
||||
UserDetails user = this.users.get(username.toLowerCase(Locale.ROOT));
|
||||
if (user == null) {
|
||||
throw new UsernameNotFoundException(username);
|
||||
}
|
||||
|
||||
+3
@@ -59,6 +59,7 @@ public class AuthenticatedVoterTests {
|
||||
assertThat(AccessDecisionVoter.ACCESS_GRANTED).isEqualTo(voter.vote(createAnonymous(), null, def));
|
||||
assertThat(AccessDecisionVoter.ACCESS_GRANTED).isEqualTo(voter.vote(createRememberMe(), null, def));
|
||||
assertThat(AccessDecisionVoter.ACCESS_GRANTED).isEqualTo(voter.vote(createFullyAuthenticated(), null, def));
|
||||
assertThat(AccessDecisionVoter.ACCESS_DENIED).isEqualTo(voter.vote(null, null, def));
|
||||
}
|
||||
|
||||
@Test
|
||||
@@ -68,6 +69,7 @@ public class AuthenticatedVoterTests {
|
||||
assertThat(AccessDecisionVoter.ACCESS_DENIED).isEqualTo(voter.vote(createAnonymous(), null, def));
|
||||
assertThat(AccessDecisionVoter.ACCESS_DENIED).isEqualTo(voter.vote(createRememberMe(), null, def));
|
||||
assertThat(AccessDecisionVoter.ACCESS_GRANTED).isEqualTo(voter.vote(createFullyAuthenticated(), null, def));
|
||||
assertThat(AccessDecisionVoter.ACCESS_DENIED).isEqualTo(voter.vote(null, null, def));
|
||||
}
|
||||
|
||||
@Test
|
||||
@@ -77,6 +79,7 @@ public class AuthenticatedVoterTests {
|
||||
assertThat(AccessDecisionVoter.ACCESS_DENIED).isEqualTo(voter.vote(createAnonymous(), null, def));
|
||||
assertThat(AccessDecisionVoter.ACCESS_GRANTED).isEqualTo(voter.vote(createRememberMe(), null, def));
|
||||
assertThat(AccessDecisionVoter.ACCESS_GRANTED).isEqualTo(voter.vote(createFullyAuthenticated(), null, def));
|
||||
assertThat(AccessDecisionVoter.ACCESS_DENIED).isEqualTo(voter.vote(null, null, def));
|
||||
}
|
||||
|
||||
@Test
|
||||
|
||||
+4
-3
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -18,6 +18,7 @@ package org.springframework.security.crypto.password;
|
||||
|
||||
import java.security.MessageDigest;
|
||||
import java.util.Base64;
|
||||
import java.util.Locale;
|
||||
|
||||
import org.springframework.security.crypto.codec.Utf8;
|
||||
import org.springframework.security.crypto.keygen.BytesKeyGenerator;
|
||||
@@ -50,11 +51,11 @@ public class LdapShaPasswordEncoder implements PasswordEncoder {
|
||||
|
||||
private static final String SSHA_PREFIX = "{SSHA}";
|
||||
|
||||
private static final String SSHA_PREFIX_LC = SSHA_PREFIX.toLowerCase();
|
||||
private static final String SSHA_PREFIX_LC = SSHA_PREFIX.toLowerCase(Locale.ENGLISH);
|
||||
|
||||
private static final String SHA_PREFIX = "{SHA}";
|
||||
|
||||
private static final String SHA_PREFIX_LC = SHA_PREFIX.toLowerCase();
|
||||
private static final String SHA_PREFIX_LC = SHA_PREFIX.toLowerCase(Locale.ENGLISH);
|
||||
|
||||
private BytesKeyGenerator saltGenerator;
|
||||
|
||||
|
||||
@@ -0,0 +1,37 @@
|
||||
antora:
|
||||
extensions:
|
||||
- require: '@springio/antora-extensions'
|
||||
root_component_name: 'security'
|
||||
site:
|
||||
title: Spring Security
|
||||
url: https://docs.spring.io/spring-security/reference
|
||||
robots: allow
|
||||
git:
|
||||
ensure_git_suffix: false
|
||||
content:
|
||||
sources:
|
||||
- url: https://github.com/spring-projects/spring-security
|
||||
branches: [main, '5.{{6..9},{1..9}+({0..9})}.x', '6.+({0..9}).x']
|
||||
tags: ['5.{{6..9},{1..9}+({0..9})}.{0..99}?(-RC+({0..9}))', '6.+({0..9}).+({0..9})?(-{RC,M}*)','!(5.6.{0..10}*)', '!(5.7.{0..8}*)', '!(5.8.{0..3}?({-RC,-M}+({0..9})))','!(6.0.{0..3}*)','!(6.1.0*)']
|
||||
start_path: docs
|
||||
asciidoc:
|
||||
attributes:
|
||||
page-stackoverflow-url: https://stackoverflow.com/tags/spring-security
|
||||
page-related-doc-categories: security
|
||||
page-related-doc-projects: framework,graphql
|
||||
hide-uri-scheme: '@'
|
||||
tabs-sync-option: '@'
|
||||
extensions:
|
||||
- '@asciidoctor/tabs'
|
||||
- '@springio/asciidoctor-extensions'
|
||||
urls:
|
||||
latest_version_segment_strategy: redirect:to
|
||||
latest_version_segment: ''
|
||||
redirect_facility: httpd
|
||||
ui:
|
||||
bundle:
|
||||
url: https://github.com/spring-io/antora-ui-spring/releases/download/v0.4.11/ui-bundle.zip
|
||||
snapshot: true
|
||||
runtime:
|
||||
log:
|
||||
failure_level: warn
|
||||
@@ -147,6 +147,7 @@
|
||||
*** xref:reactive/exploits/csrf.adoc[CSRF]
|
||||
*** xref:reactive/exploits/headers.adoc[Headers]
|
||||
*** xref:reactive/exploits/http.adoc[HTTP Requests]
|
||||
*** xref:reactive/exploits/firewall.adoc[]
|
||||
** Integrations
|
||||
*** xref:reactive/integrations/cors.adoc[CORS]
|
||||
*** xref:reactive/integrations/rsocket.adoc[RSocket]
|
||||
|
||||
@@ -0,0 +1,234 @@
|
||||
[[webflux-serverwebexchangefirewall]]
|
||||
= ServerWebExchangeFirewall
|
||||
|
||||
There are various ways a request can be created by malicious users that can exploit applications.
|
||||
Spring Security provides the `ServerWebExchangeFirewall` to allow rejecting requests that look malicious.
|
||||
The default implementation is `StrictServerWebExchangeFirewall` which rejects malicious requests.
|
||||
|
||||
For example a request could contain path-traversal sequences (such as `/../`) or multiple forward slashes (`//`) that could also cause pattern-matches to fail.
|
||||
Some containers normalize these out before performing the servlet mapping, but others do not.
|
||||
To protect against issues like these, `WebFilterChainProxy` uses a `ServerWebExchangeFirewall` strategy to check and wrap the request.
|
||||
By default, un-normalized requests are automatically rejected, and path parameters are removed for matching purposes.
|
||||
(So, for example, an original request path of `/secure;hack=1/somefile.html;hack=2` is returned as `/secure/somefile.html`.)
|
||||
It is, therefore, essential that a `WebFilterChainProxy` is used.
|
||||
|
||||
In practice, we recommend that you use method security at your service layer, to control access to your application, rather than rely entirely on the use of security constraints defined at the web-application level.
|
||||
URLs change, and it is difficult to take into account all the possible URLs that an application might support and how requests might be manipulated.
|
||||
You should restrict yourself to using a few simple patterns that are simple to understand.
|
||||
Always try to use a "`deny-by-default`" approach, where you have a catch-all wildcard (`/**` or `**`) defined last to deny access.
|
||||
|
||||
Security defined at the service layer is much more robust and harder to bypass, so you should always take advantage of Spring Security's method security options.
|
||||
|
||||
You can customize the `ServerWebExchangeFirewall` by exposing it as a Bean.
|
||||
|
||||
.Allow Matrix Variables
|
||||
[tabs]
|
||||
======
|
||||
Java::
|
||||
+
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Bean
|
||||
public StrictServerWebExchangeFirewall httpFirewall() {
|
||||
StrictServerWebExchangeFirewall firewall = new StrictServerWebExchangeFirewall();
|
||||
firewall.setAllowSemicolon(true);
|
||||
return firewall;
|
||||
}
|
||||
----
|
||||
|
||||
Kotlin::
|
||||
+
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Bean
|
||||
fun httpFirewall(): StrictServerWebExchangeFirewall {
|
||||
val firewall = StrictServerWebExchangeFirewall()
|
||||
firewall.setAllowSemicolon(true)
|
||||
return firewall
|
||||
}
|
||||
----
|
||||
======
|
||||
|
||||
To protect against https://www.owasp.org/index.php/Cross_Site_Tracing[Cross Site Tracing (XST)] and https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)[HTTP Verb Tampering], the `StrictServerWebExchangeFirewall` provides an allowed list of valid HTTP methods that are allowed.
|
||||
The default valid methods are `DELETE`, `GET`, `HEAD`, `OPTIONS`, `PATCH`, `POST`, and `PUT`.
|
||||
If your application needs to modify the valid methods, you can configure a custom `StrictServerWebExchangeFirewall` bean.
|
||||
The following example allows only HTTP `GET` and `POST` methods:
|
||||
|
||||
|
||||
.Allow Only GET & POST
|
||||
[tabs]
|
||||
======
|
||||
Java::
|
||||
+
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Bean
|
||||
public StrictServerWebExchangeFirewall httpFirewall() {
|
||||
StrictServerWebExchangeFirewall firewall = new StrictServerWebExchangeFirewall();
|
||||
firewall.setAllowedHttpMethods(Arrays.asList("GET", "POST"));
|
||||
return firewall;
|
||||
}
|
||||
----
|
||||
|
||||
Kotlin::
|
||||
+
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Bean
|
||||
fun httpFirewall(): StrictServerWebExchangeFirewall {
|
||||
val firewall = StrictServerWebExchangeFirewall()
|
||||
firewall.setAllowedHttpMethods(listOf("GET", "POST"))
|
||||
return firewall
|
||||
}
|
||||
----
|
||||
======
|
||||
|
||||
If you must allow any HTTP method (not recommended), you can use `StrictServerWebExchangeFirewall.setUnsafeAllowAnyHttpMethod(true)`.
|
||||
Doing so entirely disables validation of the HTTP method.
|
||||
|
||||
|
||||
[[webflux-serverwebexchangefirewall-headers-parameters]]
|
||||
`StrictServerWebExchangeFirewall` also checks header names and values and parameter names.
|
||||
It requires that each character have a defined code point and not be a control character.
|
||||
|
||||
This requirement can be relaxed or adjusted as necessary by using the following methods:
|
||||
|
||||
* `StrictServerWebExchangeFirewall#setAllowedHeaderNames(Predicate)`
|
||||
* `StrictServerWebExchangeFirewall#setAllowedHeaderValues(Predicate)`
|
||||
* `StrictServerWebExchangeFirewall#setAllowedParameterNames(Predicate)`
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
Parameter values can be also controlled with `setAllowedParameterValues(Predicate)`.
|
||||
====
|
||||
|
||||
For example, to switch off this check, you can wire your `StrictServerWebExchangeFirewall` with `Predicate` instances that always return `true`:
|
||||
|
||||
.Allow Any Header Name, Header Value, and Parameter Name
|
||||
[tabs]
|
||||
======
|
||||
Java::
|
||||
+
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Bean
|
||||
public StrictServerWebExchangeFirewall httpFirewall() {
|
||||
StrictServerWebExchangeFirewall firewall = new StrictServerWebExchangeFirewall();
|
||||
firewall.setAllowedHeaderNames((header) -> true);
|
||||
firewall.setAllowedHeaderValues((header) -> true);
|
||||
firewall.setAllowedParameterNames((parameter) -> true);
|
||||
return firewall;
|
||||
}
|
||||
----
|
||||
|
||||
Kotlin::
|
||||
+
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Bean
|
||||
fun httpFirewall(): StrictServerWebExchangeFirewall {
|
||||
val firewall = StrictServerWebExchangeFirewall()
|
||||
firewall.setAllowedHeaderNames { true }
|
||||
firewall.setAllowedHeaderValues { true }
|
||||
firewall.setAllowedParameterNames { true }
|
||||
return firewall
|
||||
}
|
||||
----
|
||||
======
|
||||
|
||||
Alternatively, there might be a specific value that you need to allow.
|
||||
|
||||
For example, iPhone Xʀ uses a `User-Agent` that includes a character that is not in the ISO-8859-1 charset.
|
||||
Due to this fact, some application servers parse this value into two separate characters, the latter being an undefined character.
|
||||
|
||||
You can address this with the `setAllowedHeaderValues` method:
|
||||
|
||||
.Allow Certain User Agents
|
||||
[tabs]
|
||||
======
|
||||
Java::
|
||||
+
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Bean
|
||||
public StrictServerWebExchangeFirewall httpFirewall() {
|
||||
StrictServerWebExchangeFirewall firewall = new StrictServerWebExchangeFirewall();
|
||||
Pattern allowed = Pattern.compile("[\\p{IsAssigned}&&[^\\p{IsControl}]]*");
|
||||
Pattern userAgent = ...;
|
||||
firewall.setAllowedHeaderValues((header) -> allowed.matcher(header).matches() || userAgent.matcher(header).matches());
|
||||
return firewall;
|
||||
}
|
||||
----
|
||||
|
||||
Kotlin::
|
||||
+
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Bean
|
||||
fun httpFirewall(): StrictServerWebExchangeFirewall {
|
||||
val firewall = StrictServerWebExchangeFirewall()
|
||||
val allowed = Pattern.compile("[\\p{IsAssigned}&&[^\\p{IsControl}]]*")
|
||||
val userAgent = Pattern.compile(...)
|
||||
firewall.setAllowedHeaderValues { allowed.matcher(it).matches() || userAgent.matcher(it).matches() }
|
||||
return firewall
|
||||
}
|
||||
----
|
||||
======
|
||||
|
||||
In the case of header values, you may instead consider parsing them as UTF-8 at verification time:
|
||||
|
||||
.Parse Headers As UTF-8
|
||||
[tabs]
|
||||
======
|
||||
Java::
|
||||
+
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
firewall.setAllowedHeaderValues((header) -> {
|
||||
String parsed = new String(header.getBytes(ISO_8859_1), UTF_8);
|
||||
return allowed.matcher(parsed).matches();
|
||||
});
|
||||
----
|
||||
|
||||
Kotlin::
|
||||
+
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
firewall.setAllowedHeaderValues {
|
||||
val parsed = String(header.getBytes(ISO_8859_1), UTF_8)
|
||||
return allowed.matcher(parsed).matches()
|
||||
}
|
||||
----
|
||||
======
|
||||
|
||||
The `ServerExchangeRejectedHandler` interface is used to handle `ServerExchangeRejectedException` throw by Spring Security's `ServerWebExchangeFirewall`.
|
||||
By default `HttpStatusExchangeRejectedHandler` is used to send an HTTP 400 response to clients when a request is rejected.
|
||||
To customize the behavior, users can expose a `ServerExchangeRejectedHandler` Bean.
|
||||
For example, the following will send an HTTP 404 when the request is rejected:
|
||||
|
||||
|
||||
.Send 404 on Request Rejected
|
||||
[tabs]
|
||||
======
|
||||
Java::
|
||||
+
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Bean
|
||||
ServerExchangeRejectedHandler rejectedHandler() {
|
||||
return new HttpStatusExchangeRejectedHandler(HttpStatus.NOT_FOUND);
|
||||
}
|
||||
----
|
||||
|
||||
Kotlin::
|
||||
+
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Bean
|
||||
fun rejectedHandler(): ServerExchangeRejectedHandler {
|
||||
return HttpStatusExchangeRejectedHandler(HttpStatus.NOT_FOUND)
|
||||
}
|
||||
----
|
||||
======
|
||||
|
||||
Handling can be completely customized by creating a custom `ServerExchangeRejectedHandler` implementation.
|
||||
@@ -0,0 +1,10 @@
|
||||
{
|
||||
"dependencies": {
|
||||
"antora": "3.2.0-alpha.4",
|
||||
"@antora/atlas-extension": "1.0.0-alpha.2",
|
||||
"@antora/collector-extension": "1.0.0-alpha.3",
|
||||
"@asciidoctor/tabs": "1.0.0-beta.6",
|
||||
"@springio/antora-extensions": "1.10.0",
|
||||
"@springio/asciidoctor-extensions": "1.0.0-alpha.10"
|
||||
}
|
||||
}
|
||||
@@ -7,14 +7,11 @@ apply plugin: 'io.spring.convention.docs'
|
||||
apply plugin: 'java'
|
||||
|
||||
antora {
|
||||
playbook = 'cached-antora-playbook.yml'
|
||||
playbookProvider {
|
||||
repository = 'spring-projects/spring-security'
|
||||
branch = 'docs-build'
|
||||
path = 'lib/antora/templates/per-branch-antora-playbook.yml'
|
||||
checkLocalBranch = true
|
||||
}
|
||||
options = [clean: true, fetch: !project.gradle.startParameter.offline, stacktrace: true]
|
||||
environment = [
|
||||
'BUILD_REFNAME': 'HEAD',
|
||||
'BUILD_VERSION': project.version,
|
||||
]
|
||||
}
|
||||
|
||||
tasks.named("generateAntoraYml") {
|
||||
|
||||
@@ -53,4 +53,11 @@
|
||||
<suppress files="WithSecurityContextTestExecutionListenerTests\.java" checks="SpringMethodVisibility"/>
|
||||
<suppress files="AbstractOAuth2AuthorizationGrantRequestEntityConverter\.java" checks="SpringMethodVisibility"/>
|
||||
<suppress files="JoseHeader\.java" checks="SpringMethodVisibility"/>
|
||||
|
||||
<!-- Lambdas that we can't replace with a method reference because a closure is required -->
|
||||
<suppress files="BearerTokenAuthenticationFilter\.java" checks="SpringLambda"/>
|
||||
|
||||
<!-- Ignore String.toUpperCase() and String.toLowerCase() checks in tests -->
|
||||
<suppress files="[\\/]src[\\/]test[\\/]" checks="RegexpSinglelineJava" id="toLowerCaseWithoutLocale"/>
|
||||
<suppress files="[\\/]src[\\/]test[\\/]" checks="RegexpSinglelineJava" id="toUpperCaseWithoutLocale"/>
|
||||
</suppressions>
|
||||
|
||||
@@ -23,5 +23,21 @@
|
||||
<property name="message" value="Please use assertThatExceptionOfType." />
|
||||
<property name="ignoreComments" value="true" />
|
||||
</module>
|
||||
<module name="com.puppycrawl.tools.checkstyle.checks.regexp.RegexpSinglelineJavaCheck">
|
||||
<property name="id" value="toLowerCaseWithoutLocale"/>
|
||||
<property name="format" value="\.toLowerCase\(\)"/>
|
||||
<property name="maximum" value="0"/>
|
||||
<property name="message"
|
||||
value="String.toLowerCase() should be String.toLowerCase(Locale.ROOT) or String.toLowerCase(Locale.ENGLISH)"/>
|
||||
<property name="ignoreComments" value="true"/>
|
||||
</module>
|
||||
<module name="com.puppycrawl.tools.checkstyle.checks.regexp.RegexpSinglelineJavaCheck">
|
||||
<property name="id" value="toUpperCaseWithoutLocale"/>
|
||||
<property name="format" value="\.toUpperCase\(\)"/>
|
||||
<property name="maximum" value="0"/>
|
||||
<property name="message"
|
||||
value="String.toUpperCase() should be String.toUpperCase(Locale.ROOT) or String.toUpperCase(Locale.ENGLISH)"/>
|
||||
<property name="ignoreComments" value="true"/>
|
||||
</module>
|
||||
</module>
|
||||
</module>
|
||||
|
||||
+1
-1
@@ -3,7 +3,7 @@ springJavaformatVersion=0.0.31
|
||||
springBootVersion=2.4.2
|
||||
springFrameworkVersion=5.3.29
|
||||
openSamlVersion=3.4.6
|
||||
version=5.7.11-SNAPSHOT
|
||||
version=5.7.15-SNAPSHOT
|
||||
kotlinVersion=1.6.21
|
||||
samplesBranch=5.7.x
|
||||
org.gradle.jvmargs=-Xmx3g -XX:MaxPermSize=2048m -XX:+HeapDumpOnOutOfMemoryError
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2005-2010 the original author or authors.
|
||||
* Copyright 2005-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -16,6 +16,8 @@
|
||||
|
||||
package org.springframework.security.ldap;
|
||||
|
||||
import java.util.Locale;
|
||||
|
||||
import org.springframework.ldap.BadLdapGrammarException;
|
||||
|
||||
/**
|
||||
@@ -72,7 +74,7 @@ final class LdapEncoder {
|
||||
}
|
||||
|
||||
protected static String toTwoCharHex(char c) {
|
||||
String raw = Integer.toHexString(c).toUpperCase();
|
||||
String raw = Integer.toHexString(c).toUpperCase(Locale.ENGLISH);
|
||||
return (raw.length() > 1) ? raw : "0" + raw;
|
||||
}
|
||||
|
||||
|
||||
+4
-2
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2005-2010 the original author or authors.
|
||||
* Copyright 2005-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -16,6 +16,8 @@
|
||||
|
||||
package org.springframework.security.ldap.authentication;
|
||||
|
||||
import java.util.Locale;
|
||||
|
||||
import org.springframework.ldap.BadLdapGrammarException;
|
||||
|
||||
/**
|
||||
@@ -72,7 +74,7 @@ final class LdapEncoder {
|
||||
}
|
||||
|
||||
protected static String toTwoCharHex(char c) {
|
||||
String raw = Integer.toHexString(c).toUpperCase();
|
||||
String raw = Integer.toHexString(c).toUpperCase(Locale.ENGLISH);
|
||||
return (raw.length() > 1) ? raw : "0" + raw;
|
||||
}
|
||||
|
||||
|
||||
+6
-5
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2016 the original author or authors.
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -23,6 +23,7 @@ import java.util.Collection;
|
||||
import java.util.HashMap;
|
||||
import java.util.Hashtable;
|
||||
import java.util.List;
|
||||
import java.util.Locale;
|
||||
import java.util.Map;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
@@ -142,9 +143,9 @@ public final class ActiveDirectoryLdapAuthenticationProvider extends AbstractLda
|
||||
*/
|
||||
public ActiveDirectoryLdapAuthenticationProvider(String domain, String url, String rootDn) {
|
||||
Assert.isTrue(StringUtils.hasText(url), "Url cannot be empty");
|
||||
this.domain = StringUtils.hasText(domain) ? domain.toLowerCase() : null;
|
||||
this.domain = StringUtils.hasText(domain) ? domain.toLowerCase(Locale.ROOT) : null;
|
||||
this.url = url;
|
||||
this.rootDn = StringUtils.hasText(rootDn) ? rootDn.toLowerCase() : null;
|
||||
this.rootDn = StringUtils.hasText(rootDn) ? rootDn.toLowerCase(Locale.ROOT) : null;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -153,7 +154,7 @@ public final class ActiveDirectoryLdapAuthenticationProvider extends AbstractLda
|
||||
*/
|
||||
public ActiveDirectoryLdapAuthenticationProvider(String domain, String url) {
|
||||
Assert.isTrue(StringUtils.hasText(url), "Url cannot be empty");
|
||||
this.domain = StringUtils.hasText(domain) ? domain.toLowerCase() : null;
|
||||
this.domain = StringUtils.hasText(domain) ? domain.toLowerCase(Locale.ROOT) : null;
|
||||
this.url = url;
|
||||
this.rootDn = (this.domain != null) ? rootDnFromDomain(this.domain) : null;
|
||||
}
|
||||
@@ -361,7 +362,7 @@ public final class ActiveDirectoryLdapAuthenticationProvider extends AbstractLda
|
||||
}
|
||||
|
||||
String createBindPrincipal(String username) {
|
||||
if (this.domain == null || username.toLowerCase().endsWith(this.domain)) {
|
||||
if (this.domain == null || username.toLowerCase(Locale.ROOT).endsWith(this.domain)) {
|
||||
return username;
|
||||
}
|
||||
return username + "@" + this.domain;
|
||||
|
||||
+2
-1
@@ -20,6 +20,7 @@ import java.util.ArrayList;
|
||||
import java.util.Collection;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Locale;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
import java.util.function.Function;
|
||||
@@ -179,7 +180,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
|
||||
return null;
|
||||
}
|
||||
if (this.convertToUpperCase) {
|
||||
role = role.toUpperCase();
|
||||
role = role.toUpperCase(Locale.ROOT);
|
||||
}
|
||||
return new SimpleGrantedAuthority(this.rolePrefix + role);
|
||||
};
|
||||
|
||||
+4
-3
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -23,6 +23,7 @@ import java.util.Collection;
|
||||
import java.util.LinkedList;
|
||||
import java.util.List;
|
||||
import java.util.ListIterator;
|
||||
import java.util.Locale;
|
||||
|
||||
import javax.naming.Context;
|
||||
import javax.naming.NameNotFoundException;
|
||||
@@ -120,7 +121,7 @@ public class LdapUserDetailsManager implements UserDetailsManager {
|
||||
NamingEnumeration<?> ne = roleAttr.getAll();
|
||||
Object group = ne.next();
|
||||
String role = group.toString();
|
||||
return new SimpleGrantedAuthority(this.rolePrefix + role.toUpperCase());
|
||||
return new SimpleGrantedAuthority(this.rolePrefix + role.toUpperCase(Locale.ROOT));
|
||||
};
|
||||
|
||||
private String[] attributesToRetrieve;
|
||||
@@ -283,7 +284,7 @@ public class LdapUserDetailsManager implements UserDetailsManager {
|
||||
*/
|
||||
protected DistinguishedName buildGroupDn(String group) {
|
||||
DistinguishedName dn = new DistinguishedName(this.groupSearchBase);
|
||||
dn.add(this.groupRoleAttributeName, group.toLowerCase());
|
||||
dn.add(this.groupRoleAttributeName, group.toLowerCase(Locale.ROOT));
|
||||
return dn;
|
||||
}
|
||||
|
||||
|
||||
+2
-1
@@ -17,6 +17,7 @@
|
||||
package org.springframework.security.ldap.userdetails;
|
||||
|
||||
import java.util.Collection;
|
||||
import java.util.Locale;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
@@ -127,7 +128,7 @@ public class LdapUserDetailsMapper implements UserDetailsContextMapper {
|
||||
protected GrantedAuthority createAuthority(Object role) {
|
||||
if (role instanceof String) {
|
||||
if (this.convertToUpperCase) {
|
||||
role = ((String) role).toUpperCase();
|
||||
role = ((String) role).toUpperCase(Locale.ROOT);
|
||||
}
|
||||
return new SimpleGrantedAuthority(this.rolePrefix + role);
|
||||
}
|
||||
|
||||
+3
-2
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2014 the original author or authors.
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -18,6 +18,7 @@ package org.springframework.security.ldap.userdetails;
|
||||
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Locale;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
|
||||
@@ -193,7 +194,7 @@ public class NestedLdapAuthoritiesPopulator extends DefaultLdapAuthoritiesPopula
|
||||
}
|
||||
for (String role : roles) {
|
||||
if (isConvertToUpperCase()) {
|
||||
role = role.toUpperCase();
|
||||
role = role.toUpperCase(Locale.ROOT);
|
||||
}
|
||||
role = getRolePrefix() + role;
|
||||
// if the group already exist, we will not search for it's parents again.
|
||||
|
||||
+3
-2
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2020 the original author or authors.
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -19,6 +19,7 @@ package org.springframework.security.oauth2.client.web.reactive.function.client;
|
||||
import java.time.Duration;
|
||||
import java.util.Collections;
|
||||
import java.util.HashMap;
|
||||
import java.util.Locale;
|
||||
import java.util.Map;
|
||||
import java.util.Optional;
|
||||
import java.util.function.Consumer;
|
||||
@@ -749,7 +750,7 @@ public final class ServerOAuth2AuthorizedClientExchangeFilterFunction implements
|
||||
// @formatter:off
|
||||
return Stream.of(wwwAuthenticateHeader)
|
||||
.filter((header) -> !StringUtils.isEmpty(header))
|
||||
.filter((header) -> header.toLowerCase().startsWith("bearer"))
|
||||
.filter((header) -> header.toLowerCase(Locale.ENGLISH).startsWith("bearer"))
|
||||
.map((header) -> header.substring("bearer".length()))
|
||||
.map((header) -> header.split(","))
|
||||
.flatMap(Stream::of)
|
||||
|
||||
+3
-2
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2020 the original author or authors.
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -19,6 +19,7 @@ package org.springframework.security.oauth2.client.web.reactive.function.client;
|
||||
import java.time.Duration;
|
||||
import java.util.Collections;
|
||||
import java.util.HashMap;
|
||||
import java.util.Locale;
|
||||
import java.util.Map;
|
||||
import java.util.function.Consumer;
|
||||
import java.util.stream.Collectors;
|
||||
@@ -720,7 +721,7 @@ public final class ServletOAuth2AuthorizedClientExchangeFilterFunction implement
|
||||
private Map<String, String> parseAuthParameters(String wwwAuthenticateHeader) {
|
||||
// @formatter:off
|
||||
return Stream.of(wwwAuthenticateHeader).filter((header) -> !StringUtils.isEmpty(header))
|
||||
.filter((header) -> header.toLowerCase().startsWith("bearer"))
|
||||
.filter((header) -> header.toLowerCase(Locale.ENGLISH).startsWith("bearer"))
|
||||
.map((header) -> header.substring("bearer".length()))
|
||||
.map((header) -> header.split(","))
|
||||
.flatMap(Stream::of)
|
||||
|
||||
+3
-2
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2004-2010 the original author or authors.
|
||||
* Copyright 2004-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -17,6 +17,7 @@
|
||||
package org.springframework.security.taglibs.authz;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.util.Locale;
|
||||
import java.util.Map;
|
||||
|
||||
import javax.servlet.ServletContext;
|
||||
@@ -167,7 +168,7 @@ public abstract class AbstractAuthorizeTag {
|
||||
}
|
||||
|
||||
public void setMethod(String method) {
|
||||
this.method = (method != null) ? method.toUpperCase() : null;
|
||||
this.method = (method != null) ? method.toUpperCase(Locale.ENGLISH) : null;
|
||||
}
|
||||
|
||||
@SuppressWarnings({ "unchecked", "rawtypes" })
|
||||
|
||||
@@ -16,6 +16,8 @@
|
||||
|
||||
package org.springframework.security.web;
|
||||
|
||||
import java.util.Locale;
|
||||
|
||||
import javax.servlet.ServletRequest;
|
||||
|
||||
import org.springframework.util.Assert;
|
||||
@@ -45,7 +47,7 @@ public class PortResolverImpl implements PortResolver {
|
||||
@Override
|
||||
public int getServerPort(ServletRequest request) {
|
||||
int serverPort = request.getServerPort();
|
||||
String scheme = request.getScheme().toLowerCase();
|
||||
String scheme = request.getScheme().toLowerCase(Locale.ENGLISH);
|
||||
Integer mappedPort = getMappedPort(serverPort, scheme);
|
||||
return (mappedPort != null) ? mappedPort : serverPort;
|
||||
}
|
||||
|
||||
@@ -22,6 +22,12 @@ import java.util.List;
|
||||
import reactor.core.publisher.Flux;
|
||||
import reactor.core.publisher.Mono;
|
||||
|
||||
import org.springframework.security.web.server.firewall.HttpStatusExchangeRejectedHandler;
|
||||
import org.springframework.security.web.server.firewall.ServerExchangeRejectedException;
|
||||
import org.springframework.security.web.server.firewall.ServerExchangeRejectedHandler;
|
||||
import org.springframework.security.web.server.firewall.ServerWebExchangeFirewall;
|
||||
import org.springframework.security.web.server.firewall.StrictServerWebExchangeFirewall;
|
||||
import org.springframework.util.Assert;
|
||||
import org.springframework.web.server.ServerWebExchange;
|
||||
import org.springframework.web.server.WebFilter;
|
||||
import org.springframework.web.server.WebFilterChain;
|
||||
@@ -38,6 +44,10 @@ public class WebFilterChainProxy implements WebFilter {
|
||||
|
||||
private final List<SecurityWebFilterChain> filters;
|
||||
|
||||
private ServerWebExchangeFirewall firewall = new StrictServerWebExchangeFirewall();
|
||||
|
||||
private ServerExchangeRejectedHandler exchangeRejectedHandler = new HttpStatusExchangeRejectedHandler();
|
||||
|
||||
public WebFilterChainProxy(List<SecurityWebFilterChain> filters) {
|
||||
this.filters = filters;
|
||||
}
|
||||
@@ -48,12 +58,41 @@ public class WebFilterChainProxy implements WebFilter {
|
||||
|
||||
@Override
|
||||
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
|
||||
return this.firewall.getFirewalledExchange(exchange)
|
||||
.flatMap((firewalledExchange) -> filterFirewalledExchange(firewalledExchange, chain))
|
||||
.onErrorResume(ServerExchangeRejectedException.class,
|
||||
(rejected) -> this.exchangeRejectedHandler.handle(exchange, rejected).then(Mono.empty()));
|
||||
}
|
||||
|
||||
private Mono<Void> filterFirewalledExchange(ServerWebExchange firewalledExchange, WebFilterChain chain) {
|
||||
return Flux.fromIterable(this.filters)
|
||||
.filterWhen((securityWebFilterChain) -> securityWebFilterChain.matches(exchange)).next()
|
||||
.switchIfEmpty(chain.filter(exchange).then(Mono.empty()))
|
||||
.filterWhen((securityWebFilterChain) -> securityWebFilterChain.matches(firewalledExchange)).next()
|
||||
.switchIfEmpty(chain.filter(firewalledExchange).then(Mono.empty()))
|
||||
.flatMap((securityWebFilterChain) -> securityWebFilterChain.getWebFilters().collectList())
|
||||
.map((filters) -> new FilteringWebHandler(chain::filter, filters)).map(DefaultWebFilterChain::new)
|
||||
.flatMap((securedChain) -> securedChain.filter(exchange));
|
||||
.flatMap((securedChain) -> securedChain.filter(firewalledExchange));
|
||||
}
|
||||
|
||||
/**
|
||||
* Protects the application using the provided
|
||||
* {@link StrictServerWebExchangeFirewall}.
|
||||
* @param firewall the {@link StrictServerWebExchangeFirewall} to use. Cannot be null.
|
||||
* @since 5.7.13
|
||||
*/
|
||||
public void setFirewall(ServerWebExchangeFirewall firewall) {
|
||||
Assert.notNull(firewall, "firewall cannot be null");
|
||||
this.firewall = firewall;
|
||||
}
|
||||
|
||||
/**
|
||||
* Handles {@link ServerExchangeRejectedException} when the
|
||||
* {@link ServerWebExchangeFirewall} rejects the provided {@link ServerWebExchange}.
|
||||
* @param exchangeRejectedHandler the {@link ServerExchangeRejectedHandler} to use.
|
||||
* @since 5.7.13
|
||||
*/
|
||||
public void setExchangeRejectedHandler(ServerExchangeRejectedHandler exchangeRejectedHandler) {
|
||||
Assert.notNull(exchangeRejectedHandler, "exchangeRejectedHandler cannot be null");
|
||||
this.exchangeRejectedHandler = exchangeRejectedHandler;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
+66
@@ -0,0 +1,66 @@
|
||||
/*
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.web.server.firewall;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
import reactor.core.publisher.Mono;
|
||||
|
||||
import org.springframework.core.log.LogMessage;
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.web.server.ServerWebExchange;
|
||||
|
||||
/**
|
||||
* A simple implementation of {@link ServerExchangeRejectedHandler} that sends an error
|
||||
* with configurable status code.
|
||||
*
|
||||
* @author Rob Winch
|
||||
* @since 5.7.13
|
||||
*/
|
||||
public class HttpStatusExchangeRejectedHandler implements ServerExchangeRejectedHandler {
|
||||
|
||||
private static final Log logger = LogFactory.getLog(HttpStatusExchangeRejectedHandler.class);
|
||||
|
||||
private final HttpStatus status;
|
||||
|
||||
/**
|
||||
* Constructs an instance which uses {@code 400} as response code.
|
||||
*/
|
||||
public HttpStatusExchangeRejectedHandler() {
|
||||
this(HttpStatus.BAD_REQUEST);
|
||||
}
|
||||
|
||||
/**
|
||||
* Constructs an instance which uses a configurable http code as response.
|
||||
* @param status http status code to use
|
||||
*/
|
||||
public HttpStatusExchangeRejectedHandler(HttpStatus status) {
|
||||
this.status = status;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Mono<Void> handle(ServerWebExchange exchange,
|
||||
ServerExchangeRejectedException serverExchangeRejectedException) {
|
||||
return Mono.fromRunnable(() -> {
|
||||
logger.debug(
|
||||
LogMessage.format("Rejecting request due to: %s", serverExchangeRejectedException.getMessage()),
|
||||
serverExchangeRejectedException);
|
||||
exchange.getResponse().setStatusCode(this.status);
|
||||
});
|
||||
}
|
||||
|
||||
}
|
||||
+31
@@ -0,0 +1,31 @@
|
||||
/*
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.web.server.firewall;
|
||||
|
||||
/**
|
||||
* Thrown when a {@link org.springframework.web.server.ServerWebExchange} is rejected.
|
||||
*
|
||||
* @author Rob Winch
|
||||
* @since 5.7.13
|
||||
*/
|
||||
public class ServerExchangeRejectedException extends RuntimeException {
|
||||
|
||||
public ServerExchangeRejectedException(String message) {
|
||||
super(message);
|
||||
}
|
||||
|
||||
}
|
||||
+39
@@ -0,0 +1,39 @@
|
||||
/*
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.web.server.firewall;
|
||||
|
||||
import reactor.core.publisher.Mono;
|
||||
|
||||
import org.springframework.web.server.ServerWebExchange;
|
||||
|
||||
/**
|
||||
* Handles {@link ServerExchangeRejectedException} thrown by
|
||||
* {@link ServerWebExchangeFirewall}.
|
||||
*
|
||||
* @author Rob Winch
|
||||
* @since 5.7.13
|
||||
*/
|
||||
public interface ServerExchangeRejectedHandler {
|
||||
|
||||
/**
|
||||
* Handles an request rejected failure.
|
||||
* @param exchange the {@link ServerWebExchange} that was rejected
|
||||
* @param serverExchangeRejectedException that caused the invocation
|
||||
*/
|
||||
Mono<Void> handle(ServerWebExchange exchange, ServerExchangeRejectedException serverExchangeRejectedException);
|
||||
|
||||
}
|
||||
+46
@@ -0,0 +1,46 @@
|
||||
/*
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.web.server.firewall;
|
||||
|
||||
import reactor.core.publisher.Mono;
|
||||
|
||||
import org.springframework.web.server.ServerWebExchange;
|
||||
|
||||
/**
|
||||
* Interface which can be used to reject potentially dangerous requests and/or wrap them
|
||||
* to control their behaviour.
|
||||
*
|
||||
* @author Rob Winch
|
||||
* @since 5.7.13
|
||||
*/
|
||||
public interface ServerWebExchangeFirewall {
|
||||
|
||||
/**
|
||||
* An implementation of {@link StrictServerWebExchangeFirewall} that does nothing.
|
||||
* This is considered insecure and not recommended.
|
||||
*/
|
||||
ServerWebExchangeFirewall INSECURE_NOOP = (exchange) -> Mono.just(exchange);
|
||||
|
||||
/**
|
||||
* Get a {@link ServerWebExchange} that has firewall rules applied to it.
|
||||
* @param exchange the {@link ServerWebExchange} to apply firewall rules to.
|
||||
* @return the {@link ServerWebExchange} that has firewall rules applied to it.
|
||||
* @throws ServerExchangeRejectedException when a rule is broken.
|
||||
*/
|
||||
Mono<ServerWebExchange> getFirewalledExchange(ServerWebExchange exchange);
|
||||
|
||||
}
|
||||
+791
@@ -0,0 +1,791 @@
|
||||
/*
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.web.server.firewall;
|
||||
|
||||
import java.util.Arrays;
|
||||
import java.util.Collection;
|
||||
import java.util.Collections;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
import java.util.function.Predicate;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
import reactor.core.publisher.Mono;
|
||||
|
||||
import org.springframework.http.HttpHeaders;
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.http.server.reactive.ServerHttpRequest;
|
||||
import org.springframework.http.server.reactive.ServerHttpRequestDecorator;
|
||||
import org.springframework.http.server.reactive.ServerHttpResponse;
|
||||
import org.springframework.util.Assert;
|
||||
import org.springframework.util.MultiValueMap;
|
||||
import org.springframework.web.server.ServerWebExchange;
|
||||
import org.springframework.web.server.ServerWebExchangeDecorator;
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* A strict implementation of {@link ServerWebExchangeFirewall} that rejects any
|
||||
* suspicious requests with a {@link ServerExchangeRejectedException}.
|
||||
* </p>
|
||||
* <p>
|
||||
* The following rules are applied to the firewall:
|
||||
* </p>
|
||||
* <ul>
|
||||
* <li>Rejects HTTP methods that are not allowed. This specified to block
|
||||
* <a href="https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)">HTTP Verb
|
||||
* tampering and XST attacks</a>. See {@link #setAllowedHttpMethods(Collection)}</li>
|
||||
* <li>Rejects URLs that are not normalized to avoid bypassing security constraints. There
|
||||
* is no way to disable this as it is considered extremely risky to disable this
|
||||
* constraint. A few options to allow this behavior is to normalize the request prior to
|
||||
* the firewall or using
|
||||
* {@link org.springframework.security.web.firewall.DefaultHttpFirewall} instead. Please
|
||||
* keep in mind that normalizing the request is fragile and why requests are rejected
|
||||
* rather than normalized.</li>
|
||||
* <li>Rejects URLs that contain characters that are not printable ASCII characters. There
|
||||
* is no way to disable this as it is considered extremely risky to disable this
|
||||
* constraint.</li>
|
||||
* <li>Rejects URLs that contain semicolons. See {@link #setAllowSemicolon(boolean)}</li>
|
||||
* <li>Rejects URLs that contain a URL encoded slash. See
|
||||
* {@link #setAllowUrlEncodedSlash(boolean)}</li>
|
||||
* <li>Rejects URLs that contain a backslash. See {@link #setAllowBackSlash(boolean)}</li>
|
||||
* <li>Rejects URLs that contain a null character. See {@link #setAllowNull(boolean)}</li>
|
||||
* <li>Rejects URLs that contain a URL encoded percent. See
|
||||
* {@link #setAllowUrlEncodedPercent(boolean)}</li>
|
||||
* <li>Rejects hosts that are not allowed. See {@link #setAllowedHostnames(Predicate)}
|
||||
* </li>
|
||||
* <li>Reject headers names that are not allowed. See
|
||||
* {@link #setAllowedHeaderNames(Predicate)}</li>
|
||||
* <li>Reject headers values that are not allowed. See
|
||||
* {@link #setAllowedHeaderValues(Predicate)}</li>
|
||||
* <li>Reject parameter names that are not allowed. See
|
||||
* {@link #setAllowedParameterNames(Predicate)}</li>
|
||||
* <li>Reject parameter values that are not allowed. See
|
||||
* {@link #setAllowedParameterValues(Predicate)}</li>
|
||||
* </ul>
|
||||
*
|
||||
* @author Rob Winch
|
||||
* @since 5.7.13
|
||||
*/
|
||||
public class StrictServerWebExchangeFirewall implements ServerWebExchangeFirewall {
|
||||
|
||||
/**
|
||||
* Used to specify to {@link #setAllowedHttpMethods(Collection)} that any HTTP method
|
||||
* should be allowed.
|
||||
*/
|
||||
private static final Set<HttpMethod> ALLOW_ANY_HTTP_METHOD = Collections.emptySet();
|
||||
|
||||
private static final String ENCODED_PERCENT = "%25";
|
||||
|
||||
private static final String PERCENT = "%";
|
||||
|
||||
private static final List<String> FORBIDDEN_ENCODED_PERIOD = Collections
|
||||
.unmodifiableList(Arrays.asList("%2e", "%2E"));
|
||||
|
||||
private static final List<String> FORBIDDEN_SEMICOLON = Collections
|
||||
.unmodifiableList(Arrays.asList(";", "%3b", "%3B"));
|
||||
|
||||
private static final List<String> FORBIDDEN_FORWARDSLASH = Collections
|
||||
.unmodifiableList(Arrays.asList("%2f", "%2F"));
|
||||
|
||||
private static final List<String> FORBIDDEN_DOUBLE_FORWARDSLASH = Collections
|
||||
.unmodifiableList(Arrays.asList("//", "%2f%2f", "%2f%2F", "%2F%2f", "%2F%2F"));
|
||||
|
||||
private static final List<String> FORBIDDEN_BACKSLASH = Collections
|
||||
.unmodifiableList(Arrays.asList("\\", "%5c", "%5C"));
|
||||
|
||||
private static final List<String> FORBIDDEN_NULL = Collections.unmodifiableList(Arrays.asList("\0", "%00"));
|
||||
|
||||
private static final List<String> FORBIDDEN_LF = Collections.unmodifiableList(Arrays.asList("\n", "%0a", "%0A"));
|
||||
|
||||
private static final List<String> FORBIDDEN_CR = Collections.unmodifiableList(Arrays.asList("\r", "%0d", "%0D"));
|
||||
|
||||
private static final List<String> FORBIDDEN_LINE_SEPARATOR = Collections.unmodifiableList(Arrays.asList("\u2028"));
|
||||
|
||||
private static final List<String> FORBIDDEN_PARAGRAPH_SEPARATOR = Collections
|
||||
.unmodifiableList(Arrays.asList("\u2029"));
|
||||
|
||||
private Set<String> encodedUrlBlocklist = new HashSet<>();
|
||||
|
||||
private Set<String> decodedUrlBlocklist = new HashSet<>();
|
||||
|
||||
private Set<HttpMethod> allowedHttpMethods = createDefaultAllowedHttpMethods();
|
||||
|
||||
private Predicate<String> allowedHostnames = (hostname) -> true;
|
||||
|
||||
private static final Pattern ASSIGNED_AND_NOT_ISO_CONTROL_PATTERN = Pattern
|
||||
.compile("[\\p{IsAssigned}&&[^\\p{IsControl}]]*");
|
||||
|
||||
private static final Predicate<String> ASSIGNED_AND_NOT_ISO_CONTROL_PREDICATE = (
|
||||
s) -> ASSIGNED_AND_NOT_ISO_CONTROL_PATTERN.matcher(s).matches();
|
||||
|
||||
private static final Pattern HEADER_VALUE_PATTERN = Pattern.compile("[\\p{IsAssigned}&&[[^\\p{IsControl}]||\\t]]*");
|
||||
|
||||
private static final Predicate<String> HEADER_VALUE_PREDICATE = (s) -> s == null
|
||||
|| HEADER_VALUE_PATTERN.matcher(s).matches();
|
||||
|
||||
private Predicate<String> allowedHeaderNames = ALLOWED_HEADER_NAMES;
|
||||
|
||||
public static final Predicate<String> ALLOWED_HEADER_NAMES = ASSIGNED_AND_NOT_ISO_CONTROL_PREDICATE;
|
||||
|
||||
private Predicate<String> allowedHeaderValues = ALLOWED_HEADER_VALUES;
|
||||
|
||||
public static final Predicate<String> ALLOWED_HEADER_VALUES = HEADER_VALUE_PREDICATE;
|
||||
|
||||
private Predicate<String> allowedParameterNames = ALLOWED_PARAMETER_NAMES;
|
||||
|
||||
public static final Predicate<String> ALLOWED_PARAMETER_NAMES = ASSIGNED_AND_NOT_ISO_CONTROL_PREDICATE;
|
||||
|
||||
private Predicate<String> allowedParameterValues = ALLOWED_PARAMETER_VALUES;
|
||||
|
||||
public static final Predicate<String> ALLOWED_PARAMETER_VALUES = (value) -> true;
|
||||
|
||||
public StrictServerWebExchangeFirewall() {
|
||||
urlBlocklistsAddAll(FORBIDDEN_SEMICOLON);
|
||||
urlBlocklistsAddAll(FORBIDDEN_FORWARDSLASH);
|
||||
urlBlocklistsAddAll(FORBIDDEN_DOUBLE_FORWARDSLASH);
|
||||
urlBlocklistsAddAll(FORBIDDEN_BACKSLASH);
|
||||
urlBlocklistsAddAll(FORBIDDEN_NULL);
|
||||
urlBlocklistsAddAll(FORBIDDEN_LF);
|
||||
urlBlocklistsAddAll(FORBIDDEN_CR);
|
||||
|
||||
this.encodedUrlBlocklist.add(ENCODED_PERCENT);
|
||||
this.encodedUrlBlocklist.addAll(FORBIDDEN_ENCODED_PERIOD);
|
||||
this.decodedUrlBlocklist.add(PERCENT);
|
||||
this.decodedUrlBlocklist.addAll(FORBIDDEN_LINE_SEPARATOR);
|
||||
this.decodedUrlBlocklist.addAll(FORBIDDEN_PARAGRAPH_SEPARATOR);
|
||||
}
|
||||
|
||||
public Set<String> getEncodedUrlBlocklist() {
|
||||
return this.encodedUrlBlocklist;
|
||||
}
|
||||
|
||||
public Set<String> getDecodedUrlBlocklist() {
|
||||
return this.decodedUrlBlocklist;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Mono<ServerWebExchange> getFirewalledExchange(ServerWebExchange exchange) {
|
||||
return Mono.fromCallable(() -> {
|
||||
ServerHttpRequest request = exchange.getRequest();
|
||||
rejectForbiddenHttpMethod(request);
|
||||
rejectedBlocklistedUrls(request);
|
||||
rejectedUntrustedHosts(request);
|
||||
if (!isNormalized(request)) {
|
||||
throw new ServerExchangeRejectedException(
|
||||
"The request was rejected because the URL was not normalized");
|
||||
}
|
||||
|
||||
exchange.getResponse().beforeCommit(() -> Mono.fromRunnable(() -> {
|
||||
ServerHttpResponse response = exchange.getResponse();
|
||||
HttpHeaders headers = response.getHeaders();
|
||||
for (Map.Entry<String, List<String>> header : headers.entrySet()) {
|
||||
String headerName = header.getKey();
|
||||
List<String> headerValues = header.getValue();
|
||||
for (String headerValue : headerValues) {
|
||||
validateCrlf(headerName, headerValue);
|
||||
}
|
||||
}
|
||||
}));
|
||||
return new StrictFirewallServerWebExchange(exchange);
|
||||
});
|
||||
}
|
||||
|
||||
private static void validateCrlf(String name, String value) {
|
||||
Assert.isTrue(!hasCrlf(name) && !hasCrlf(value), () -> "Invalid characters (CR/LF) in header " + name);
|
||||
}
|
||||
|
||||
private static boolean hasCrlf(String value) {
|
||||
return value != null && (value.indexOf('\n') != -1 || value.indexOf('\r') != -1);
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets if any HTTP method is allowed. If this set to true, then no validation on the
|
||||
* HTTP method will be performed. This can open the application up to
|
||||
* <a href="https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)"> HTTP
|
||||
* Verb tampering and XST attacks</a>
|
||||
* @param unsafeAllowAnyHttpMethod if true, disables HTTP method validation, else
|
||||
* resets back to the defaults. Default is false.
|
||||
* @since 5.1
|
||||
* @see #setAllowedHttpMethods(Collection)
|
||||
*/
|
||||
public void setUnsafeAllowAnyHttpMethod(boolean unsafeAllowAnyHttpMethod) {
|
||||
this.allowedHttpMethods = unsafeAllowAnyHttpMethod ? ALLOW_ANY_HTTP_METHOD : createDefaultAllowedHttpMethods();
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Determines which HTTP methods should be allowed. The default is to allow "DELETE",
|
||||
* "GET", "HEAD", "OPTIONS", "PATCH", "POST", and "PUT".
|
||||
* </p>
|
||||
* @param allowedHttpMethods the case-sensitive collection of HTTP methods that are
|
||||
* allowed.
|
||||
* @since 5.1
|
||||
* @see #setUnsafeAllowAnyHttpMethod(boolean)
|
||||
*/
|
||||
public void setAllowedHttpMethods(Collection<HttpMethod> allowedHttpMethods) {
|
||||
Assert.notNull(allowedHttpMethods, "allowedHttpMethods cannot be null");
|
||||
this.allowedHttpMethods = (allowedHttpMethods != ALLOW_ANY_HTTP_METHOD) ? new HashSet<>(allowedHttpMethods)
|
||||
: ALLOW_ANY_HTTP_METHOD;
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Determines if semicolon is allowed in the URL (i.e. matrix variables). The default
|
||||
* is to disable this behavior because it is a common way of attempting to perform
|
||||
* <a href="https://www.owasp.org/index.php/Reflected_File_Download">Reflected File
|
||||
* Download Attacks</a>. It is also the source of many exploits which bypass URL based
|
||||
* security.
|
||||
* </p>
|
||||
* <p>
|
||||
* For example, the following CVEs are a subset of the issues related to ambiguities
|
||||
* in the Servlet Specification on how to treat semicolons that led to CVEs:
|
||||
* </p>
|
||||
* <ul>
|
||||
* <li><a href="https://pivotal.io/security/cve-2016-5007">cve-2016-5007</a></li>
|
||||
* <li><a href="https://pivotal.io/security/cve-2016-9879">cve-2016-9879</a></li>
|
||||
* <li><a href="https://pivotal.io/security/cve-2018-1199">cve-2018-1199</a></li>
|
||||
* </ul>
|
||||
*
|
||||
* <p>
|
||||
* If you are wanting to allow semicolons, please reconsider as it is a very common
|
||||
* source of security bypasses. A few common reasons users want semicolons and
|
||||
* alternatives are listed below:
|
||||
* </p>
|
||||
* <ul>
|
||||
* <li>Including the JSESSIONID in the path - You should not include session id (or
|
||||
* any sensitive information) in a URL as it can lead to leaking. Instead use Cookies.
|
||||
* </li>
|
||||
* <li>Matrix Variables - Users wanting to leverage Matrix Variables should consider
|
||||
* using HTTP parameters instead.</li>
|
||||
* </ul>
|
||||
* @param allowSemicolon should semicolons be allowed in the URL. Default is false
|
||||
*/
|
||||
public void setAllowSemicolon(boolean allowSemicolon) {
|
||||
if (allowSemicolon) {
|
||||
urlBlocklistsRemoveAll(FORBIDDEN_SEMICOLON);
|
||||
}
|
||||
else {
|
||||
urlBlocklistsAddAll(FORBIDDEN_SEMICOLON);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Determines if a slash "/" that is URL encoded "%2F" should be allowed in the path
|
||||
* or not. The default is to not allow this behavior because it is a common way to
|
||||
* bypass URL based security.
|
||||
* </p>
|
||||
* <p>
|
||||
* For example, due to ambiguities in the servlet specification, the value is not
|
||||
* parsed consistently which results in different values in {@code HttpServletRequest}
|
||||
* path related values which allow bypassing certain security constraints.
|
||||
* </p>
|
||||
* @param allowUrlEncodedSlash should a slash "/" that is URL encoded "%2F" be allowed
|
||||
* in the path or not. Default is false.
|
||||
*/
|
||||
public void setAllowUrlEncodedSlash(boolean allowUrlEncodedSlash) {
|
||||
if (allowUrlEncodedSlash) {
|
||||
urlBlocklistsRemoveAll(FORBIDDEN_FORWARDSLASH);
|
||||
}
|
||||
else {
|
||||
urlBlocklistsAddAll(FORBIDDEN_FORWARDSLASH);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Determines if double slash "//" that is URL encoded "%2F%2F" should be allowed in
|
||||
* the path or not. The default is to not allow.
|
||||
* </p>
|
||||
* @param allowUrlEncodedDoubleSlash should a slash "//" that is URL encoded "%2F%2F"
|
||||
* be allowed in the path or not. Default is false.
|
||||
*/
|
||||
public void setAllowUrlEncodedDoubleSlash(boolean allowUrlEncodedDoubleSlash) {
|
||||
if (allowUrlEncodedDoubleSlash) {
|
||||
urlBlocklistsRemoveAll(FORBIDDEN_DOUBLE_FORWARDSLASH);
|
||||
}
|
||||
else {
|
||||
urlBlocklistsAddAll(FORBIDDEN_DOUBLE_FORWARDSLASH);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Determines if a period "." that is URL encoded "%2E" should be allowed in the path
|
||||
* or not. The default is to not allow this behavior because it is a frequent source
|
||||
* of security exploits.
|
||||
* </p>
|
||||
* <p>
|
||||
* For example, due to ambiguities in the servlet specification a URL encoded period
|
||||
* might lead to bypassing security constraints through a directory traversal attack.
|
||||
* This is because the path is not parsed consistently which results in different
|
||||
* values in {@code HttpServletRequest} path related values which allow bypassing
|
||||
* certain security constraints.
|
||||
* </p>
|
||||
* @param allowUrlEncodedPeriod should a period "." that is URL encoded "%2E" be
|
||||
* allowed in the path or not. Default is false.
|
||||
*/
|
||||
public void setAllowUrlEncodedPeriod(boolean allowUrlEncodedPeriod) {
|
||||
if (allowUrlEncodedPeriod) {
|
||||
this.encodedUrlBlocklist.removeAll(FORBIDDEN_ENCODED_PERIOD);
|
||||
}
|
||||
else {
|
||||
this.encodedUrlBlocklist.addAll(FORBIDDEN_ENCODED_PERIOD);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Determines if a backslash "\" or a URL encoded backslash "%5C" should be allowed in
|
||||
* the path or not. The default is not to allow this behavior because it is a frequent
|
||||
* source of security exploits.
|
||||
* </p>
|
||||
* <p>
|
||||
* For example, due to ambiguities in the servlet specification a URL encoded period
|
||||
* might lead to bypassing security constraints through a directory traversal attack.
|
||||
* This is because the path is not parsed consistently which results in different
|
||||
* values in {@code HttpServletRequest} path related values which allow bypassing
|
||||
* certain security constraints.
|
||||
* </p>
|
||||
* @param allowBackSlash a backslash "\" or a URL encoded backslash "%5C" be allowed
|
||||
* in the path or not. Default is false
|
||||
*/
|
||||
public void setAllowBackSlash(boolean allowBackSlash) {
|
||||
if (allowBackSlash) {
|
||||
urlBlocklistsRemoveAll(FORBIDDEN_BACKSLASH);
|
||||
}
|
||||
else {
|
||||
urlBlocklistsAddAll(FORBIDDEN_BACKSLASH);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Determines if a null "\0" or a URL encoded nul "%00" should be allowed in the path
|
||||
* or not. The default is not to allow this behavior because it is a frequent source
|
||||
* of security exploits.
|
||||
* </p>
|
||||
* @param allowNull a null "\0" or a URL encoded null "%00" be allowed in the path or
|
||||
* not. Default is false
|
||||
* @since 5.4
|
||||
*/
|
||||
public void setAllowNull(boolean allowNull) {
|
||||
if (allowNull) {
|
||||
urlBlocklistsRemoveAll(FORBIDDEN_NULL);
|
||||
}
|
||||
else {
|
||||
urlBlocklistsAddAll(FORBIDDEN_NULL);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Determines if a percent "%" that is URL encoded "%25" should be allowed in the path
|
||||
* or not. The default is not to allow this behavior because it is a frequent source
|
||||
* of security exploits.
|
||||
* </p>
|
||||
* <p>
|
||||
* For example, this can lead to exploits that involve double URL encoding that lead
|
||||
* to bypassing security constraints.
|
||||
* </p>
|
||||
* @param allowUrlEncodedPercent if a percent "%" that is URL encoded "%25" should be
|
||||
* allowed in the path or not. Default is false
|
||||
*/
|
||||
public void setAllowUrlEncodedPercent(boolean allowUrlEncodedPercent) {
|
||||
if (allowUrlEncodedPercent) {
|
||||
this.encodedUrlBlocklist.remove(ENCODED_PERCENT);
|
||||
this.decodedUrlBlocklist.remove(PERCENT);
|
||||
}
|
||||
else {
|
||||
this.encodedUrlBlocklist.add(ENCODED_PERCENT);
|
||||
this.decodedUrlBlocklist.add(PERCENT);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Determines if a URL encoded Carriage Return is allowed in the path or not. The
|
||||
* default is not to allow this behavior because it is a frequent source of security
|
||||
* exploits.
|
||||
* @param allowUrlEncodedCarriageReturn if URL encoded Carriage Return is allowed in
|
||||
* the URL or not. Default is false.
|
||||
*/
|
||||
public void setAllowUrlEncodedCarriageReturn(boolean allowUrlEncodedCarriageReturn) {
|
||||
if (allowUrlEncodedCarriageReturn) {
|
||||
urlBlocklistsRemoveAll(FORBIDDEN_CR);
|
||||
}
|
||||
else {
|
||||
urlBlocklistsAddAll(FORBIDDEN_CR);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Determines if a URL encoded Line Feed is allowed in the path or not. The default is
|
||||
* not to allow this behavior because it is a frequent source of security exploits.
|
||||
* @param allowUrlEncodedLineFeed if URL encoded Line Feed is allowed in the URL or
|
||||
* not. Default is false.
|
||||
*/
|
||||
public void setAllowUrlEncodedLineFeed(boolean allowUrlEncodedLineFeed) {
|
||||
if (allowUrlEncodedLineFeed) {
|
||||
urlBlocklistsRemoveAll(FORBIDDEN_LF);
|
||||
}
|
||||
else {
|
||||
urlBlocklistsAddAll(FORBIDDEN_LF);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Determines if a URL encoded paragraph separator is allowed in the path or not. The
|
||||
* default is not to allow this behavior because it is a frequent source of security
|
||||
* exploits.
|
||||
* @param allowUrlEncodedParagraphSeparator if URL encoded paragraph separator is
|
||||
* allowed in the URL or not. Default is false.
|
||||
*/
|
||||
public void setAllowUrlEncodedParagraphSeparator(boolean allowUrlEncodedParagraphSeparator) {
|
||||
if (allowUrlEncodedParagraphSeparator) {
|
||||
this.decodedUrlBlocklist.removeAll(FORBIDDEN_PARAGRAPH_SEPARATOR);
|
||||
}
|
||||
else {
|
||||
this.decodedUrlBlocklist.addAll(FORBIDDEN_PARAGRAPH_SEPARATOR);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Determines if a URL encoded line separator is allowed in the path or not. The
|
||||
* default is not to allow this behavior because it is a frequent source of security
|
||||
* exploits.
|
||||
* @param allowUrlEncodedLineSeparator if URL encoded line separator is allowed in the
|
||||
* URL or not. Default is false.
|
||||
*/
|
||||
public void setAllowUrlEncodedLineSeparator(boolean allowUrlEncodedLineSeparator) {
|
||||
if (allowUrlEncodedLineSeparator) {
|
||||
this.decodedUrlBlocklist.removeAll(FORBIDDEN_LINE_SEPARATOR);
|
||||
}
|
||||
else {
|
||||
this.decodedUrlBlocklist.addAll(FORBIDDEN_LINE_SEPARATOR);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Determines which header names should be allowed. The default is to reject header
|
||||
* names that contain ISO control characters and characters that are not defined.
|
||||
* </p>
|
||||
* @param allowedHeaderNames the predicate for testing header names
|
||||
* @since 5.4
|
||||
* @see Character#isISOControl(int)
|
||||
* @see Character#isDefined(int)
|
||||
*/
|
||||
public void setAllowedHeaderNames(Predicate<String> allowedHeaderNames) {
|
||||
Assert.notNull(allowedHeaderNames, "allowedHeaderNames cannot be null");
|
||||
this.allowedHeaderNames = allowedHeaderNames;
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Determines which header values should be allowed. The default is to reject header
|
||||
* values that contain ISO control characters and characters that are not defined.
|
||||
* </p>
|
||||
* @param allowedHeaderValues the predicate for testing hostnames
|
||||
* @since 5.4
|
||||
* @see Character#isISOControl(int)
|
||||
* @see Character#isDefined(int)
|
||||
*/
|
||||
public void setAllowedHeaderValues(Predicate<String> allowedHeaderValues) {
|
||||
Assert.notNull(allowedHeaderValues, "allowedHeaderValues cannot be null");
|
||||
this.allowedHeaderValues = allowedHeaderValues;
|
||||
}
|
||||
|
||||
/**
|
||||
* Determines which parameter names should be allowed. The default is to reject header
|
||||
* names that contain ISO control characters and characters that are not defined.
|
||||
* @param allowedParameterNames the predicate for testing parameter names
|
||||
* @since 5.4
|
||||
* @see Character#isISOControl(int)
|
||||
* @see Character#isDefined(int)
|
||||
*/
|
||||
public void setAllowedParameterNames(Predicate<String> allowedParameterNames) {
|
||||
Assert.notNull(allowedParameterNames, "allowedParameterNames cannot be null");
|
||||
this.allowedParameterNames = allowedParameterNames;
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Determines which parameter values should be allowed. The default is to allow any
|
||||
* parameter value.
|
||||
* </p>
|
||||
* @param allowedParameterValues the predicate for testing parameter values
|
||||
* @since 5.4
|
||||
*/
|
||||
public void setAllowedParameterValues(Predicate<String> allowedParameterValues) {
|
||||
Assert.notNull(allowedParameterValues, "allowedParameterValues cannot be null");
|
||||
this.allowedParameterValues = allowedParameterValues;
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Determines which hostnames should be allowed. The default is to allow any hostname.
|
||||
* </p>
|
||||
* @param allowedHostnames the predicate for testing hostnames
|
||||
* @since 5.2
|
||||
*/
|
||||
public void setAllowedHostnames(Predicate<String> allowedHostnames) {
|
||||
Assert.notNull(allowedHostnames, "allowedHostnames cannot be null");
|
||||
this.allowedHostnames = allowedHostnames;
|
||||
}
|
||||
|
||||
private void urlBlocklistsAddAll(Collection<String> values) {
|
||||
this.encodedUrlBlocklist.addAll(values);
|
||||
this.decodedUrlBlocklist.addAll(values);
|
||||
}
|
||||
|
||||
private void urlBlocklistsRemoveAll(Collection<String> values) {
|
||||
this.encodedUrlBlocklist.removeAll(values);
|
||||
this.decodedUrlBlocklist.removeAll(values);
|
||||
}
|
||||
|
||||
private void rejectNonPrintableAsciiCharactersInFieldName(String toCheck, String propertyName) {
|
||||
if (!containsOnlyPrintableAsciiCharacters(toCheck)) {
|
||||
throw new ServerExchangeRejectedException(String.format(
|
||||
"The %s was rejected because it can only contain printable ASCII characters.", propertyName));
|
||||
}
|
||||
}
|
||||
|
||||
private void rejectForbiddenHttpMethod(ServerHttpRequest request) {
|
||||
if (this.allowedHttpMethods == ALLOW_ANY_HTTP_METHOD) {
|
||||
return;
|
||||
}
|
||||
if (!this.allowedHttpMethods.contains(request.getMethod())) {
|
||||
throw new ServerExchangeRejectedException(
|
||||
"The request was rejected because the HTTP method \"" + request.getMethod()
|
||||
+ "\" was not included within the list of allowed HTTP methods " + this.allowedHttpMethods);
|
||||
}
|
||||
}
|
||||
|
||||
private void rejectedBlocklistedUrls(ServerHttpRequest request) {
|
||||
for (String forbidden : this.encodedUrlBlocklist) {
|
||||
if (encodedUrlContains(request, forbidden)) {
|
||||
throw new ServerExchangeRejectedException(
|
||||
"The request was rejected because the URL contained a potentially malicious String \""
|
||||
+ forbidden + "\"");
|
||||
}
|
||||
}
|
||||
for (String forbidden : this.decodedUrlBlocklist) {
|
||||
if (decodedUrlContains(request, forbidden)) {
|
||||
throw new ServerExchangeRejectedException(
|
||||
"The request was rejected because the URL contained a potentially malicious String \""
|
||||
+ forbidden + "\"");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private void rejectedUntrustedHosts(ServerHttpRequest request) {
|
||||
String hostName = request.getURI().getHost();
|
||||
if (hostName != null && !this.allowedHostnames.test(hostName)) {
|
||||
throw new ServerExchangeRejectedException(
|
||||
"The request was rejected because the domain " + hostName + " is untrusted.");
|
||||
}
|
||||
}
|
||||
|
||||
private static Set<HttpMethod> createDefaultAllowedHttpMethods() {
|
||||
Set<HttpMethod> result = new HashSet<>();
|
||||
result.add(HttpMethod.DELETE);
|
||||
result.add(HttpMethod.GET);
|
||||
result.add(HttpMethod.HEAD);
|
||||
result.add(HttpMethod.OPTIONS);
|
||||
result.add(HttpMethod.PATCH);
|
||||
result.add(HttpMethod.POST);
|
||||
result.add(HttpMethod.PUT);
|
||||
return result;
|
||||
}
|
||||
|
||||
private boolean isNormalized(ServerHttpRequest request) {
|
||||
if (!isNormalized(request.getPath().value())) {
|
||||
return false;
|
||||
}
|
||||
if (!isNormalized(request.getURI().getRawPath())) {
|
||||
return false;
|
||||
}
|
||||
if (!isNormalized(request.getURI().getPath())) {
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
private void validateAllowedHeaderName(String headerNames) {
|
||||
if (!StrictServerWebExchangeFirewall.this.allowedHeaderNames.test(headerNames)) {
|
||||
throw new ServerExchangeRejectedException(
|
||||
"The request was rejected because the header name \"" + headerNames + "\" is not allowed.");
|
||||
}
|
||||
}
|
||||
|
||||
private void validateAllowedHeaderValue(Object key, String value) {
|
||||
if (!StrictServerWebExchangeFirewall.this.allowedHeaderValues.test(value)) {
|
||||
throw new ServerExchangeRejectedException("The request was rejected because the header: \"" + key
|
||||
+ " \" has a value \"" + value + "\" that is not allowed.");
|
||||
}
|
||||
}
|
||||
|
||||
private void validateAllowedParameterName(String name) {
|
||||
if (!StrictServerWebExchangeFirewall.this.allowedParameterNames.test(name)) {
|
||||
throw new ServerExchangeRejectedException(
|
||||
"The request was rejected because the parameter name \"" + name + "\" is not allowed.");
|
||||
}
|
||||
}
|
||||
|
||||
private void validateAllowedParameterValue(String name, String value) {
|
||||
if (!StrictServerWebExchangeFirewall.this.allowedParameterValues.test(value)) {
|
||||
throw new ServerExchangeRejectedException("The request was rejected because the parameter: \"" + name
|
||||
+ " \" has a value \"" + value + "\" that is not allowed.");
|
||||
}
|
||||
}
|
||||
|
||||
private static boolean encodedUrlContains(ServerHttpRequest request, String value) {
|
||||
if (valueContains(request.getPath().value(), value)) {
|
||||
return true;
|
||||
}
|
||||
return valueContains(request.getURI().getRawPath(), value);
|
||||
}
|
||||
|
||||
private static boolean decodedUrlContains(ServerHttpRequest request, String value) {
|
||||
return valueContains(request.getURI().getPath(), value);
|
||||
}
|
||||
|
||||
private static boolean containsOnlyPrintableAsciiCharacters(String uri) {
|
||||
if (uri == null) {
|
||||
return true;
|
||||
}
|
||||
int length = uri.length();
|
||||
for (int i = 0; i < length; i++) {
|
||||
char ch = uri.charAt(i);
|
||||
if (ch < '\u0020' || ch > '\u007e') {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
private static boolean valueContains(String value, String contains) {
|
||||
return value != null && value.contains(contains);
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks whether a path is normalized (doesn't contain path traversal sequences like
|
||||
* "./", "/../" or "/.")
|
||||
* @param path the path to test
|
||||
* @return true if the path doesn't contain any path-traversal character sequences.
|
||||
*/
|
||||
private static boolean isNormalized(String path) {
|
||||
if (path == null) {
|
||||
return true;
|
||||
}
|
||||
for (int i = path.length(); i > 0;) {
|
||||
int slashIndex = path.lastIndexOf('/', i - 1);
|
||||
int gap = i - slashIndex;
|
||||
if (gap == 2 && path.charAt(slashIndex + 1) == '.') {
|
||||
return false; // ".", "/./" or "/."
|
||||
}
|
||||
if (gap == 3 && path.charAt(slashIndex + 1) == '.' && path.charAt(slashIndex + 2) == '.') {
|
||||
return false;
|
||||
}
|
||||
i = slashIndex;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
private final class StrictFirewallServerWebExchange extends ServerWebExchangeDecorator {
|
||||
|
||||
private StrictFirewallServerWebExchange(ServerWebExchange delegate) {
|
||||
super(delegate);
|
||||
}
|
||||
|
||||
@Override
|
||||
public ServerHttpRequest getRequest() {
|
||||
return new StrictFirewallHttpRequest(super.getRequest());
|
||||
}
|
||||
|
||||
private final class StrictFirewallHttpRequest extends ServerHttpRequestDecorator {
|
||||
|
||||
private StrictFirewallHttpRequest(ServerHttpRequest delegate) {
|
||||
super(delegate);
|
||||
}
|
||||
|
||||
@Override
|
||||
public HttpHeaders getHeaders() {
|
||||
return new StrictFirewallHttpHeaders(super.getHeaders());
|
||||
}
|
||||
|
||||
@Override
|
||||
public MultiValueMap<String, String> getQueryParams() {
|
||||
MultiValueMap<String, String> queryParams = super.getQueryParams();
|
||||
for (Map.Entry<String, List<String>> paramEntry : queryParams.entrySet()) {
|
||||
String paramName = paramEntry.getKey();
|
||||
validateAllowedParameterName(paramName);
|
||||
for (String paramValue : paramEntry.getValue()) {
|
||||
validateAllowedParameterValue(paramName, paramValue);
|
||||
}
|
||||
}
|
||||
return queryParams;
|
||||
}
|
||||
|
||||
private final class StrictFirewallHttpHeaders extends HttpHeaders {
|
||||
|
||||
private StrictFirewallHttpHeaders(HttpHeaders delegate) {
|
||||
super(delegate);
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getFirst(String headerName) {
|
||||
validateAllowedHeaderName(headerName);
|
||||
String headerValue = super.getFirst(headerName);
|
||||
validateAllowedHeaderValue(headerName, headerValue);
|
||||
return headerValue;
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<String> get(Object key) {
|
||||
if (key instanceof String) {
|
||||
String headerName = (String) key;
|
||||
validateAllowedHeaderName(headerName);
|
||||
}
|
||||
List<String> headerValues = super.get(key);
|
||||
if (headerValues == null) {
|
||||
return headerValues;
|
||||
}
|
||||
for (String headerValue : headerValues) {
|
||||
validateAllowedHeaderValue(key, headerValue);
|
||||
}
|
||||
return headerValues;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Set<String> keySet() {
|
||||
Set<String> headerNames = super.keySet();
|
||||
for (String headerName : headerNames) {
|
||||
validateAllowedHeaderName(headerName);
|
||||
}
|
||||
return headerNames;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
@@ -16,6 +16,7 @@
|
||||
|
||||
package org.springframework.security.web.util;
|
||||
|
||||
import java.util.Locale;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
@@ -49,7 +50,7 @@ public final class UrlUtils {
|
||||
*/
|
||||
public static String buildFullRequestUrl(String scheme, String serverName, int serverPort, String requestURI,
|
||||
String queryString) {
|
||||
scheme = scheme.toLowerCase();
|
||||
scheme = scheme.toLowerCase(Locale.ENGLISH);
|
||||
StringBuilder url = new StringBuilder();
|
||||
url.append(scheme).append("://").append(serverName);
|
||||
// Only add port if not default
|
||||
|
||||
+4
-3
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2021 the original author or authors.
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -17,6 +17,7 @@
|
||||
package org.springframework.security.web.util.matcher;
|
||||
|
||||
import java.util.Collections;
|
||||
import java.util.Locale;
|
||||
import java.util.Map;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
@@ -267,7 +268,7 @@ public final class AntPathRequestMatcher implements RequestMatcher, RequestVaria
|
||||
|
||||
private SubpathMatcher(String subpath, boolean caseSensitive) {
|
||||
Assert.isTrue(!subpath.contains("*"), "subpath cannot contain \"*\"");
|
||||
this.subpath = caseSensitive ? subpath : subpath.toLowerCase();
|
||||
this.subpath = caseSensitive ? subpath : subpath.toLowerCase(Locale.ROOT);
|
||||
this.length = subpath.length();
|
||||
this.caseSensitive = caseSensitive;
|
||||
}
|
||||
@@ -275,7 +276,7 @@ public final class AntPathRequestMatcher implements RequestMatcher, RequestVaria
|
||||
@Override
|
||||
public boolean matches(String path) {
|
||||
if (!this.caseSensitive) {
|
||||
path = path.toLowerCase();
|
||||
path = path.toLowerCase(Locale.ROOT);
|
||||
}
|
||||
return path.startsWith(this.subpath) && (path.length() == this.length || path.charAt(this.length) == '/');
|
||||
}
|
||||
|
||||
+75
@@ -23,6 +23,9 @@ import org.junit.jupiter.api.Test;
|
||||
import reactor.core.publisher.Mono;
|
||||
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.security.web.server.firewall.ServerExchangeRejectedException;
|
||||
import org.springframework.security.web.server.firewall.ServerExchangeRejectedHandler;
|
||||
import org.springframework.security.web.server.firewall.ServerWebExchangeFirewall;
|
||||
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
|
||||
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher.MatchResult;
|
||||
import org.springframework.test.web.reactive.server.WebTestClient;
|
||||
@@ -30,6 +33,12 @@ import org.springframework.web.server.ServerWebExchange;
|
||||
import org.springframework.web.server.WebFilter;
|
||||
import org.springframework.web.server.WebFilterChain;
|
||||
|
||||
import static org.mockito.ArgumentMatchers.any;
|
||||
import static org.mockito.BDDMockito.given;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.verify;
|
||||
import static org.mockito.Mockito.verifyNoInteractions;
|
||||
|
||||
/**
|
||||
* @author Rob Winch
|
||||
* @since 5.0
|
||||
@@ -47,6 +56,72 @@ public class WebFilterChainProxyTests {
|
||||
.isNotFound();
|
||||
}
|
||||
|
||||
@Test
|
||||
void doFilterWhenFirewallThenBadRequest() {
|
||||
List<WebFilter> filters = Arrays.asList(new Http200WebFilter());
|
||||
ServerWebExchangeMatcher notMatch = (exchange) -> MatchResult.notMatch();
|
||||
MatcherSecurityWebFilterChain chain = new MatcherSecurityWebFilterChain(notMatch, filters);
|
||||
WebFilterChainProxy filter = new WebFilterChainProxy(chain);
|
||||
WebTestClient.bindToController(new Object()).webFilter(filter).build().get().uri("/invalid;/").exchange()
|
||||
.expectStatus().isBadRequest();
|
||||
}
|
||||
|
||||
@Test
|
||||
void doFilterWhenCustomFirewallThenInvoked() {
|
||||
List<WebFilter> filters = Arrays.asList(new Http200WebFilter());
|
||||
ServerWebExchangeMatcher notMatch = (exchange) -> MatchResult.notMatch();
|
||||
MatcherSecurityWebFilterChain chain = new MatcherSecurityWebFilterChain(notMatch, filters);
|
||||
WebFilterChainProxy filter = new WebFilterChainProxy(chain);
|
||||
ServerExchangeRejectedHandler handler = mock(ServerExchangeRejectedHandler.class);
|
||||
ServerWebExchangeFirewall firewall = mock(ServerWebExchangeFirewall.class);
|
||||
filter.setFirewall(firewall);
|
||||
filter.setExchangeRejectedHandler(handler);
|
||||
WebTestClient.bindToController(new Object()).webFilter(filter).build().get().exchange();
|
||||
verify(firewall).getFirewalledExchange(any());
|
||||
verifyNoInteractions(handler);
|
||||
}
|
||||
|
||||
@Test
|
||||
void doFilterWhenCustomExchangeRejectedHandlerThenInvoked() {
|
||||
List<WebFilter> filters = Arrays.asList(new Http200WebFilter());
|
||||
ServerWebExchangeMatcher notMatch = (exchange) -> MatchResult.notMatch();
|
||||
MatcherSecurityWebFilterChain chain = new MatcherSecurityWebFilterChain(notMatch, filters);
|
||||
WebFilterChainProxy filter = new WebFilterChainProxy(chain);
|
||||
ServerExchangeRejectedHandler handler = mock(ServerExchangeRejectedHandler.class);
|
||||
ServerWebExchangeFirewall firewall = mock(ServerWebExchangeFirewall.class);
|
||||
given(firewall.getFirewalledExchange(any()))
|
||||
.willReturn(Mono.error(new ServerExchangeRejectedException("Oops")));
|
||||
filter.setFirewall(firewall);
|
||||
filter.setExchangeRejectedHandler(handler);
|
||||
WebTestClient.bindToController(new Object()).webFilter(filter).build().get().exchange();
|
||||
verify(firewall).getFirewalledExchange(any());
|
||||
verify(handler).handle(any(), any());
|
||||
}
|
||||
|
||||
@Test
|
||||
void doFilterWhenDelayedServerExchangeRejectedException() {
|
||||
List<WebFilter> filters = Arrays.asList(new WebFilter() {
|
||||
@Override
|
||||
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
|
||||
// simulate a delayed error (e.g. reading parameters)
|
||||
return Mono.error(new ServerExchangeRejectedException("Ooops"));
|
||||
}
|
||||
});
|
||||
ServerWebExchangeMatcher match = (exchange) -> MatchResult.match();
|
||||
MatcherSecurityWebFilterChain chain = new MatcherSecurityWebFilterChain(match, filters);
|
||||
WebFilterChainProxy filter = new WebFilterChainProxy(chain);
|
||||
ServerExchangeRejectedHandler handler = mock(ServerExchangeRejectedHandler.class);
|
||||
filter.setExchangeRejectedHandler(handler);
|
||||
// @formatter:off
|
||||
WebTestClient.bindToController(new Object())
|
||||
.webFilter(filter)
|
||||
.build()
|
||||
.get()
|
||||
.exchange();
|
||||
// @formatter:on
|
||||
verify(handler).handle(any(), any());
|
||||
}
|
||||
|
||||
static class Http200WebFilter implements WebFilter {
|
||||
|
||||
@Override
|
||||
|
||||
+512
@@ -0,0 +1,512 @@
|
||||
/*
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.web.server.firewall;
|
||||
|
||||
import java.net.URI;
|
||||
import java.util.Arrays;
|
||||
import java.util.List;
|
||||
|
||||
import org.junit.jupiter.api.Test;
|
||||
|
||||
import org.springframework.http.HttpHeaders;
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.http.ResponseCookie;
|
||||
import org.springframework.http.server.reactive.ServerHttpRequest;
|
||||
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
|
||||
import org.springframework.mock.web.server.MockServerWebExchange;
|
||||
import org.springframework.web.server.ServerWebExchange;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
|
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
|
||||
|
||||
/**
|
||||
* Tests for {@link StrictServerWebExchangeFirewall}.
|
||||
*
|
||||
* @author Rob Winch
|
||||
* @since 5.7.13
|
||||
*/
|
||||
class StrictServerWebExchangeFirewallTests {
|
||||
|
||||
public String[] unnormalizedPaths = { "http://exploit.example/..", "http://exploit.example/./path/",
|
||||
"http://exploit.example/path/path/.", "http://exploit.example/path/path//.",
|
||||
"http://exploit.example/./path/../path//.", "http://exploit.example/./path",
|
||||
"http://exploit.example/.//path", "http://exploit.example/.", "http://exploit.example//path",
|
||||
"http://exploit.example//path/path", "http://exploit.example//path//path",
|
||||
"http://exploit.example/path//path" };
|
||||
|
||||
private StrictServerWebExchangeFirewall firewall = new StrictServerWebExchangeFirewall();
|
||||
|
||||
private MockServerHttpRequest.BaseBuilder<?> request = get("/");
|
||||
|
||||
@Test
|
||||
void cookieWhenHasNewLineThenThrowsException() {
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> ResponseCookie.from("test", "Something\nhere").build());
|
||||
}
|
||||
|
||||
@Test
|
||||
void cookieWhenHasLineFeedThenThrowsException() {
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> ResponseCookie.from("test", "Something\rhere").build());
|
||||
}
|
||||
|
||||
@Test
|
||||
void responseHeadersWhenValueHasNewLineThenThrowsException() {
|
||||
this.request = MockServerHttpRequest.get("/");
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
exchange.getResponse().getHeaders().set("FOO", "new\nline");
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> exchange.getResponse().setComplete().block());
|
||||
}
|
||||
|
||||
@Test
|
||||
void responseHeadersWhenValueHasLineFeedThenThrowsException() {
|
||||
this.request = MockServerHttpRequest.get("/");
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
exchange.getResponse().getHeaders().set("FOO", "line\rfeed");
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> exchange.getResponse().setComplete().block());
|
||||
}
|
||||
|
||||
@Test
|
||||
void responseHeadersWhenNameHasNewLineThenThrowsException() {
|
||||
this.request = MockServerHttpRequest.get("/");
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
exchange.getResponse().getHeaders().set("new\nline", "FOO");
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> exchange.getResponse().setComplete().block());
|
||||
}
|
||||
|
||||
@Test
|
||||
void responseHeadersWhenNameHasLineFeedThenThrowsException() {
|
||||
this.request = MockServerHttpRequest.get("/");
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
exchange.getResponse().getHeaders().set("line\rfeed", "FOO");
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> exchange.getResponse().setComplete().block());
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenInvalidMethodThenThrowsServerExchangeRejectedException() {
|
||||
assertThatIllegalArgumentException()
|
||||
.isThrownBy(() -> MockServerHttpRequest.method(HttpMethod.valueOf("INVALID"), "/"));
|
||||
}
|
||||
|
||||
private ServerWebExchange getFirewalledExchange() {
|
||||
MockServerWebExchange exchange = MockServerWebExchange.from(this.request.build());
|
||||
return this.firewall.getFirewalledExchange(exchange).block();
|
||||
}
|
||||
|
||||
private MockServerHttpRequest.BodyBuilder get(String uri) {
|
||||
URI url = URI.create(uri);
|
||||
return MockServerHttpRequest.method(HttpMethod.GET, url);
|
||||
}
|
||||
|
||||
// blocks XST attacks
|
||||
@Test
|
||||
void getFirewalledExchangeWhenTraceMethodThenThrowsServerExchangeRejectedException() {
|
||||
this.request = MockServerHttpRequest.method(HttpMethod.TRACE, "/");
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> getFirewalledExchange());
|
||||
}
|
||||
|
||||
@Test
|
||||
// blocks XST attack if request is forwarded to a Microsoft IIS web server
|
||||
void getFirewalledExchangeWhenTrackMethodThenThrowsServerExchangeRejectedException() {
|
||||
this.request = MockServerHttpRequest.method(HttpMethod.TRACE, "/");
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> getFirewalledExchange());
|
||||
}
|
||||
|
||||
@Test
|
||||
// HTTP methods are case sensitive
|
||||
void getFirewalledExchangeWhenLowercaseGetThenThrowsServerExchangeRejectedException() {
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> HttpMethod.valueOf("get"));
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenAllowedThenNoException() {
|
||||
List<String> allowedMethods = Arrays.asList("DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT");
|
||||
for (String allowedMethod : allowedMethods) {
|
||||
this.request = MockServerHttpRequest.method(HttpMethod.valueOf(allowedMethod), "/");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenInvalidMethodAndAnyMethodThenNoException() {
|
||||
this.firewall.setUnsafeAllowAnyHttpMethod(true);
|
||||
assertThatIllegalArgumentException()
|
||||
.isThrownBy(() -> MockServerHttpRequest.method(HttpMethod.valueOf("INVALID"), "/"));
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenURINotNormalizedThenThrowsServerExchangeRejectedException() {
|
||||
for (String path : this.unnormalizedPaths) {
|
||||
this.request = get(path);
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class)
|
||||
.describedAs("The path '" + path + "' is not normalized").isThrownBy(() -> getFirewalledExchange());
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenSemicolonInRequestUriThenThrowsServerExchangeRejectedException() {
|
||||
this.request = get("/path;/");
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> getFirewalledExchange());
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenEncodedSemicolonInRequestUriThenThrowsServerExchangeRejectedException() {
|
||||
this.request = get("/path%3B/");
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> getFirewalledExchange());
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenLowercaseEncodedSemicolonInRequestUriThenThrowsServerExchangeRejectedException() {
|
||||
this.request = MockServerHttpRequest.method(HttpMethod.GET, URI.create("/path%3b/"));
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> getFirewalledExchange());
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenSemicolonInRequestUriAndAllowSemicolonThenNoException() {
|
||||
this.firewall.setAllowSemicolon(true);
|
||||
this.request = get("/path;/");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenEncodedSemicolonInRequestUriAndAllowSemicolonThenNoException() {
|
||||
this.firewall.setAllowSemicolon(true);
|
||||
this.request = get("/path%3B/");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenLowercaseEncodedSemicolonInRequestUriAndAllowSemicolonThenNoException() {
|
||||
this.firewall.setAllowSemicolon(true);
|
||||
this.request = get("/path%3b/");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenLowercaseEncodedPeriodInThenThrowsServerExchangeRejectedException() {
|
||||
this.request = get("/%2e/");
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> getFirewalledExchange());
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenContainsLowerboundAsciiThenNoException() {
|
||||
this.request = get("/%20");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenContainsUpperboundAsciiThenNoException() {
|
||||
this.request = get("/~");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenJapaneseCharacterThenNoException() {
|
||||
// FIXME: .method(HttpMethod.GET to .get and similar methods
|
||||
this.request = get("/\u3042");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenContainsEncodedNullThenException() {
|
||||
this.request = get("/something%00/");
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> getFirewalledExchange());
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenContainsLowercaseEncodedLineFeedThenException() {
|
||||
this.request = get("/something%0a/");
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> getFirewalledExchange());
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenContainsUppercaseEncodedLineFeedThenException() {
|
||||
this.request = get("/something%0A/");
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> getFirewalledExchange());
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenContainsLowercaseEncodedCarriageReturnThenException() {
|
||||
this.request = get("/something%0d/");
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> getFirewalledExchange());
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenContainsUppercaseEncodedCarriageReturnThenException() {
|
||||
this.request = get("/something%0D/");
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> getFirewalledExchange());
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenContainsLowercaseEncodedLineFeedAndAllowedThenNoException() {
|
||||
this.firewall.setAllowUrlEncodedLineFeed(true);
|
||||
this.request = get("/something%0a/");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenContainsUppercaseEncodedLineFeedAndAllowedThenNoException() {
|
||||
this.firewall.setAllowUrlEncodedLineFeed(true);
|
||||
this.request = get("/something%0A/");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenContainsLowercaseEncodedCarriageReturnAndAllowedThenNoException() {
|
||||
this.firewall.setAllowUrlEncodedCarriageReturn(true);
|
||||
this.request = get("/something%0d/");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenContainsUppercaseEncodedCarriageReturnAndAllowedThenNoException() {
|
||||
this.firewall.setAllowUrlEncodedCarriageReturn(true);
|
||||
this.request = get("/something%0D/");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
/**
|
||||
* On WebSphere 8.5 a URL like /context-root/a/b;%2f1/c can bypass a rule on /a/b/c
|
||||
* because the pathInfo is /a/b;/1/c which ends up being /a/b/1/c while Spring MVC
|
||||
* will strip the ; content from requestURI before the path is URL decoded.
|
||||
*/
|
||||
@Test
|
||||
void getFirewalledExchangeWhenLowercaseEncodedPathThenException() {
|
||||
this.request = get("/context-root/a/b;%2f1/c");
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> getFirewalledExchange());
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenUppercaseEncodedPathThenException() {
|
||||
this.request = get("/context-root/a/b;%2F1/c");
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> getFirewalledExchange());
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenAllowUrlEncodedSlashAndLowercaseEncodedPathThenNoException() {
|
||||
this.firewall.setAllowUrlEncodedSlash(true);
|
||||
this.firewall.setAllowSemicolon(true);
|
||||
this.request = get("/context-root/a/b;%2f1/c");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenAllowUrlEncodedSlashAndUppercaseEncodedPathThenNoException() {
|
||||
this.firewall.setAllowUrlEncodedSlash(true);
|
||||
this.firewall.setAllowSemicolon(true);
|
||||
this.request = get("/context-root/a/b;%2F1/c");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenAllowUrlLowerCaseEncodedDoubleSlashThenNoException() {
|
||||
this.firewall.setAllowUrlEncodedSlash(true);
|
||||
this.firewall.setAllowUrlEncodedDoubleSlash(true);
|
||||
this.request = get("/context-root/a/b%2f%2fc");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenAllowUrlUpperCaseEncodedDoubleSlashThenNoException() {
|
||||
this.firewall.setAllowUrlEncodedSlash(true);
|
||||
this.firewall.setAllowUrlEncodedDoubleSlash(true);
|
||||
this.request = get("/context-root/a/b%2F%2Fc");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenAllowUrlLowerCaseAndUpperCaseEncodedDoubleSlashThenNoException() {
|
||||
this.firewall.setAllowUrlEncodedSlash(true);
|
||||
this.firewall.setAllowUrlEncodedDoubleSlash(true);
|
||||
this.request = get("/context-root/a/b%2f%2Fc");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenAllowUrlUpperCaseAndLowerCaseEncodedDoubleSlashThenNoException() {
|
||||
this.firewall.setAllowUrlEncodedSlash(true);
|
||||
this.firewall.setAllowUrlEncodedDoubleSlash(true);
|
||||
this.request = get("/context-root/a/b%2F%2fc");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenRemoveFromUpperCaseEncodedUrlBlocklistThenNoException() {
|
||||
this.firewall.setAllowUrlEncodedSlash(true);
|
||||
this.request = get("/context-root/a/b%2Fc");
|
||||
this.firewall.getEncodedUrlBlocklist().removeAll(Arrays.asList("%2F%2F"));
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenRemoveFromDecodedUrlBlocklistThenNoException() {
|
||||
this.request = get("/a/b%2F%2Fc");
|
||||
this.firewall.getDecodedUrlBlocklist().removeAll(Arrays.asList("//"));
|
||||
this.firewall.getEncodedUrlBlocklist().removeAll(Arrays.asList("%2F%2F"));
|
||||
this.firewall.getEncodedUrlBlocklist().removeAll(Arrays.asList("%2F"));
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenTrustedDomainThenNoException() {
|
||||
this.request.header("Host", "example.org");
|
||||
this.firewall.setAllowedHostnames((hostname) -> hostname.equals("example.org"));
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenUntrustedDomainThenException() {
|
||||
this.request = get("https://example.org");
|
||||
this.firewall.setAllowedHostnames((hostname) -> hostname.equals("myexample.org"));
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> getFirewalledExchange());
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeGetHeaderWhenNotAllowedHeaderNameThenException() {
|
||||
this.firewall.setAllowedHeaderNames((name) -> !name.equals("bad name"));
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
HttpHeaders headers = exchange.getRequest().getHeaders();
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> headers.get("bad name"));
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenHeaderNameNotAllowedWithAugmentedHeaderNamesThenException() {
|
||||
this.firewall.setAllowedHeaderNames(
|
||||
StrictServerWebExchangeFirewall.ALLOWED_HEADER_NAMES.and((name) -> !name.equals("bad name")));
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
HttpHeaders headers = exchange.getRequest().getHeaders();
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> headers.getFirst("bad name"));
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeGetHeaderWhenNotAllowedHeaderValueThenException() {
|
||||
this.request.header("good name", "bad value");
|
||||
this.firewall.setAllowedHeaderValues((value) -> !value.equals("bad value"));
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
HttpHeaders headers = exchange.getRequest().getHeaders();
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> headers.get("good name"));
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenHeaderValueNotAllowedWithAugmentedHeaderValuesThenException() {
|
||||
this.request.header("good name", "bad value");
|
||||
this.firewall.setAllowedHeaderValues(
|
||||
StrictServerWebExchangeFirewall.ALLOWED_HEADER_VALUES.and((value) -> !value.equals("bad value")));
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
HttpHeaders headers = exchange.getRequest().getHeaders();
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> headers.get("good name"));
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeGetDateHeaderWhenControlCharacterInHeaderNameThenException() {
|
||||
this.request.header("Bad\0Name", "some value");
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
HttpHeaders headers = exchange.getRequest().getHeaders();
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> headers.get("Bad\0Name"));
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeGetHeaderWhenUndefinedCharacterInHeaderNameThenException() {
|
||||
this.request.header("Bad\uFFFEName", "some value");
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
HttpHeaders headers = exchange.getRequest().getHeaders();
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> headers.get("Bad\uFFFEName"));
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeGetHeadersWhenControlCharacterInHeaderNameThenException() {
|
||||
this.request.header("Bad\0Name", "some value");
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
HttpHeaders headers = exchange.getRequest().getHeaders();
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> headers.get("Bad\0Name"));
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeGetHeaderNamesWhenControlCharacterInHeaderNameThenException() {
|
||||
this.request.header("Bad\0Name", "some value");
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
HttpHeaders headers = exchange.getRequest().getHeaders();
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class)
|
||||
.isThrownBy(() -> headers.keySet().iterator().next());
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeGetHeaderWhenControlCharacterInHeaderValueThenException() {
|
||||
this.request.header("Something", "bad\0value");
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
HttpHeaders headers = exchange.getRequest().getHeaders();
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> headers.get("Something"));
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeGetHeaderWhenHorizontalTabInHeaderValueThenNoException() {
|
||||
this.request.header("Something", "tab\tvalue");
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
HttpHeaders headers = exchange.getRequest().getHeaders();
|
||||
assertThat(headers.getFirst("Something")).isEqualTo("tab\tvalue");
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeGetHeaderWhenUndefinedCharacterInHeaderValueThenException() {
|
||||
this.request.header("Something", "bad\uFFFEvalue");
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
HttpHeaders headers = exchange.getRequest().getHeaders();
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class)
|
||||
.isThrownBy(() -> headers.getFirst("Something"));
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeGetHeadersWhenControlCharacterInHeaderValueThenException() {
|
||||
this.request.header("Something", "bad\0value");
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
HttpHeaders headers = exchange.getRequest().getHeaders();
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> headers.get("Something"));
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeGetParameterWhenControlCharacterInParameterNameThenException() {
|
||||
this.request.queryParam("Bad\0Name", "some value");
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
ServerHttpRequest request = exchange.getRequest();
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(request::getQueryParams);
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeGetParameterValuesWhenNotAllowedInParameterValueThenException() {
|
||||
this.firewall.setAllowedParameterValues((value) -> !value.equals("bad value"));
|
||||
this.request.queryParam("Something", "bad value");
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
ServerHttpRequest request = exchange.getRequest();
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> request.getQueryParams());
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeGetParameterValuesWhenNotAllowedInParameterNameThenException() {
|
||||
this.firewall.setAllowedParameterNames((value) -> !value.equals("bad name"));
|
||||
this.request.queryParam("bad name", "good value");
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
ServerHttpRequest request = exchange.getRequest();
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> request.getQueryParams());
|
||||
}
|
||||
|
||||
// gh-9598
|
||||
@Test
|
||||
void getFirewalledExchangeGetHeaderWhenNameIsNullThenNull() {
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
assertThat(exchange.getRequest().getHeaders().get(null)).isNull();
|
||||
}
|
||||
|
||||
}
|
||||
Reference in New Issue
Block a user