mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-07-04 17:52:15 +00:00
RequestRejectedException is 400 by Default
Closes gh-7568
This commit is contained in:
Rob Winch
parent
0137f94f3b
commit
f34ea188e2
@ -33,8 +33,8 @@ import org.springframework.security.web.firewall.HttpFirewall;
|
|||||||
import org.springframework.security.web.firewall.RequestRejectedException;
|
import org.springframework.security.web.firewall.RequestRejectedException;
|
||||||
import org.springframework.test.web.servlet.MockMvc;
|
import org.springframework.test.web.servlet.MockMvc;
|
||||||
|
|
||||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
|
|
||||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
|
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
|
||||||
|
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Tests to verify that all the functionality of <http-firewall> attributes is
|
* Tests to verify that all the functionality of <http-firewall> attributes is
|
||||||
@ -52,24 +52,21 @@ public class NamespaceHttpFirewallTests {
|
|||||||
MockMvc mvc;
|
MockMvc mvc;
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void requestWhenPathContainsDoubleDotsThenBehaviorMatchesNamespace() {
|
public void requestWhenPathContainsDoubleDotsThenBehaviorMatchesNamespace() throws Exception {
|
||||||
this.rule.register(HttpFirewallConfig.class).autowire();
|
this.rule.register(HttpFirewallConfig.class).autowire();
|
||||||
assertThatExceptionOfType(RequestRejectedException.class)
|
this.mvc.perform(get("/public/../private/")).andExpect(status().isBadRequest());
|
||||||
.isThrownBy(() -> this.mvc.perform(get("/public/../private/")));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void requestWithCustomFirewallThenBehaviorMatchesNamespace() {
|
public void requestWithCustomFirewallThenBehaviorMatchesNamespace() throws Exception {
|
||||||
this.rule.register(CustomHttpFirewallConfig.class).autowire();
|
this.rule.register(CustomHttpFirewallConfig.class).autowire();
|
||||||
assertThatExceptionOfType(RequestRejectedException.class)
|
this.mvc.perform(get("/").param("deny", "true")).andExpect(status().isBadRequest());
|
||||||
.isThrownBy(() -> this.mvc.perform(get("/").param("deny", "true")));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void requestWithCustomFirewallBeanThenBehaviorMatchesNamespace() {
|
public void requestWithCustomFirewallBeanThenBehaviorMatchesNamespace() throws Exception {
|
||||||
this.rule.register(CustomHttpFirewallBeanConfig.class).autowire();
|
this.rule.register(CustomHttpFirewallBeanConfig.class).autowire();
|
||||||
assertThatExceptionOfType(RequestRejectedException.class)
|
this.mvc.perform(get("/").param("deny", "true")).andExpect(status().isBadRequest());
|
||||||
.isThrownBy(() -> this.mvc.perform(get("/").param("deny", "true")));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
|
|||||||
@ -21,6 +21,7 @@ import org.junit.jupiter.api.Test;
|
|||||||
import org.junit.jupiter.api.extension.ExtendWith;
|
import org.junit.jupiter.api.extension.ExtendWith;
|
||||||
|
|
||||||
import org.springframework.beans.factory.annotation.Autowired;
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
|
import org.springframework.http.HttpStatus;
|
||||||
import org.springframework.mock.web.MockFilterChain;
|
import org.springframework.mock.web.MockFilterChain;
|
||||||
import org.springframework.mock.web.MockHttpServletRequest;
|
import org.springframework.mock.web.MockHttpServletRequest;
|
||||||
import org.springframework.mock.web.MockHttpServletResponse;
|
import org.springframework.mock.web.MockHttpServletResponse;
|
||||||
@ -29,11 +30,10 @@ import org.springframework.security.authentication.TestingAuthenticationToken;
|
|||||||
import org.springframework.security.core.context.SecurityContextHolder;
|
import org.springframework.security.core.context.SecurityContextHolder;
|
||||||
import org.springframework.security.web.FilterChainProxy;
|
import org.springframework.security.web.FilterChainProxy;
|
||||||
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
|
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
|
||||||
import org.springframework.security.web.firewall.RequestRejectedException;
|
|
||||||
import org.springframework.test.context.ContextConfiguration;
|
import org.springframework.test.context.ContextConfiguration;
|
||||||
import org.springframework.test.context.junit.jupiter.SpringExtension;
|
import org.springframework.test.context.junit.jupiter.SpringExtension;
|
||||||
|
|
||||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
|
import static org.assertj.core.api.Assertions.assertThat;
|
||||||
|
|
||||||
@ContextConfiguration(locations = { "/http-path-param-stripping-app-context.xml" })
|
@ContextConfiguration(locations = { "/http-path-param-stripping-app-context.xml" })
|
||||||
@ExtendWith(SpringExtension.class)
|
@ExtendWith(SpringExtension.class)
|
||||||
@ -48,8 +48,8 @@ public class HttpPathParameterStrippingTests {
|
|||||||
request.setPathInfo("/secured;x=y/admin.html");
|
request.setPathInfo("/secured;x=y/admin.html");
|
||||||
request.setSession(createAuthenticatedSession("ROLE_USER"));
|
request.setSession(createAuthenticatedSession("ROLE_USER"));
|
||||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||||
assertThatExceptionOfType(RequestRejectedException.class)
|
this.fcp.doFilter(request, response, new MockFilterChain());
|
||||||
.isThrownBy(() -> this.fcp.doFilter(request, response, new MockFilterChain()));
|
assertThat(response.getStatus()).isEqualTo(HttpStatus.BAD_REQUEST.value());
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@ -58,8 +58,8 @@ public class HttpPathParameterStrippingTests {
|
|||||||
request.setServletPath("/secured/admin.html;x=user.html");
|
request.setServletPath("/secured/admin.html;x=user.html");
|
||||||
request.setSession(createAuthenticatedSession("ROLE_USER"));
|
request.setSession(createAuthenticatedSession("ROLE_USER"));
|
||||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||||
assertThatExceptionOfType(RequestRejectedException.class)
|
this.fcp.doFilter(request, response, new MockFilterChain());
|
||||||
.isThrownBy(() -> this.fcp.doFilter(request, response, new MockFilterChain()));
|
assertThat(response.getStatus()).isEqualTo(HttpStatus.BAD_REQUEST.value());
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@ -69,8 +69,8 @@ public class HttpPathParameterStrippingTests {
|
|||||||
request.setPathInfo("/admin.html;x=user.html");
|
request.setPathInfo("/admin.html;x=user.html");
|
||||||
request.setSession(createAuthenticatedSession("ROLE_USER"));
|
request.setSession(createAuthenticatedSession("ROLE_USER"));
|
||||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||||
assertThatExceptionOfType(RequestRejectedException.class)
|
this.fcp.doFilter(request, response, new MockFilterChain());
|
||||||
.isThrownBy(() -> this.fcp.doFilter(request, response, new MockFilterChain()));
|
assertThat(response.getStatus()).isEqualTo(HttpStatus.BAD_REQUEST.value());
|
||||||
}
|
}
|
||||||
|
|
||||||
public HttpSession createAuthenticatedSession(String... roles) {
|
public HttpSession createAuthenticatedSession(String... roles) {
|
||||||
|
|||||||
@ -33,9 +33,9 @@ import org.apache.commons.logging.LogFactory;
|
|||||||
|
|
||||||
import org.springframework.core.log.LogMessage;
|
import org.springframework.core.log.LogMessage;
|
||||||
import org.springframework.security.core.context.SecurityContextHolder;
|
import org.springframework.security.core.context.SecurityContextHolder;
|
||||||
import org.springframework.security.web.firewall.DefaultRequestRejectedHandler;
|
|
||||||
import org.springframework.security.web.firewall.FirewalledRequest;
|
import org.springframework.security.web.firewall.FirewalledRequest;
|
||||||
import org.springframework.security.web.firewall.HttpFirewall;
|
import org.springframework.security.web.firewall.HttpFirewall;
|
||||||
|
import org.springframework.security.web.firewall.HttpStatusRequestRejectedHandler;
|
||||||
import org.springframework.security.web.firewall.RequestRejectedException;
|
import org.springframework.security.web.firewall.RequestRejectedException;
|
||||||
import org.springframework.security.web.firewall.RequestRejectedHandler;
|
import org.springframework.security.web.firewall.RequestRejectedHandler;
|
||||||
import org.springframework.security.web.firewall.StrictHttpFirewall;
|
import org.springframework.security.web.firewall.StrictHttpFirewall;
|
||||||
@ -151,7 +151,7 @@ public class FilterChainProxy extends GenericFilterBean {
|
|||||||
|
|
||||||
private HttpFirewall firewall = new StrictHttpFirewall();
|
private HttpFirewall firewall = new StrictHttpFirewall();
|
||||||
|
|
||||||
private RequestRejectedHandler requestRejectedHandler = new DefaultRequestRejectedHandler();
|
private RequestRejectedHandler requestRejectedHandler = new HttpStatusRequestRejectedHandler();
|
||||||
|
|
||||||
public FilterChainProxy() {
|
public FilterChainProxy() {
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user