StrictHttpFirewall in spring security 4.2 vs spring MVC @MatrixVariable

Question

Having upgraded to spring security 4.2.4 I discovered that StrictHttpFirewall is now the default. Unfortunately it doesn't play well with spring MVC @MatrixVariable since ";" are not allowed anymore. How to get around that?

Example:

@GetMapping(path = "/{param}") public void example(@PathVariable String param,                     @MatrixVariable Map<String, String> matrix) {     //... } 

This could be called like this:

mockMvc.perform(get("/someparam;key=value")) 

And the matrix map would be populated. Now spring security blocks it.

org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";"  at org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlacklistedUrls(StrictHttpFirewall.java:140) 

I could use a custom HttpFirewall that would allow semicolons. Is there a way to use @MatrixVariable without using forbidden characters?

BTW: the javadoc is incorrect https://docs.spring.io/autorepo/docs/spring-security/4.2.x/apidocs/index.html?org/springframework/security/web/firewall/StrictHttpFirewall.html

Since:

5.0.1

I guess it was backported?

Answer 1

You can dilute the default spring security firewall using your custom defined instance of StrictHttpFirewall (at your own risk)

@Bean public HttpFirewall allowUrlEncodedSlashHttpFirewall() {     StrictHttpFirewall firewall = new StrictHttpFirewall();     firewall.setAllowUrlEncodedSlash(true);     firewall.setAllowSemicolon(true);     return firewall; } 

And then use this custom firewall bean in WebSecurity (Spring boot does not need this change)

@Override public void configure(WebSecurity web) throws Exception {   super.configure(web);   // @formatter:off   web.httpFirewall(allowUrlEncodedSlashHttpFirewall()); ... } 

That shall work with Spring Security 4.2.4+, but of-course that brings some risks!