An error is reported when Chinese attributes are set in the request header. In the StrictHttpFirewall class, when the validateAllowedHeaderValue method is invoked, the value in the header is verified. If the value that contains Chinese characters is added to the header, the verification fails.
Comment From: sjohnr
Hi @yangdong6, what version of Spring Security are you using?
Comment From: shawnyang02
I use versions 5.6.3 and 5.6.5.
Comment From: sjohnr
Thanks @yangdong6. This seems to have been an issue for some time, whether it is expected behavior or a bug. Take a look at HttpFirewall in the reference docs. You may be interested in:
StrictHttpFirewallalso checks header names and values and parameter names. It requires that each character have a defined code point and not be a control character.
It goes on to state that you can adjust this behavior. For example, you can use StrictHttpFirewall#setAllowedHeaderValues(Predicate) to allow Chinese characters that are normally blocked. (I'm not sure how recommended that is, but if it's an issue for you it may be a valid workaround in your situation.)
It may be a few days before we can look into this issue deeper. Does this workaround move you past this issue in the meantime?
Comment From: shawnyang02
thanks very mush. Your suggestion is very useful. But I don't know how to use the bean annotation.
@Bean public StrictHttpFirewall httpFirewall() { StrictHttpFirewall firewall = new StrictHttpFirewall(); firewall.setAllowedHeaderNames((header) -> true); firewall.setAllowedHeaderValues((header) -> true); firewall.setAllowedParameterNames((parameter) -> true); return firewall; }
Comment From: sjohnr
You can place it in a class annotated with @Configuration, like this:
@Configuration
public class FirewallConfiguration {
@Bean
public StrictHttpFirewall httpFirewall() {
StrictHttpFirewall firewall = new StrictHttpFirewall();
firewall.setAllowedHeaderNames((header) -> true);
firewall.setAllowedHeaderValues((header) -> true);
firewall.setAllowedParameterNames((parameter) -> true);
return firewall;
}
}
Comment From: shawnyang02
Hi,I still report an error when using this method. Please help me to see why.
Comment From: shawnyang02
@sjohnr
Comment From: sjohnr
Hi @yangdong6, I'm sorry to hear that you're still having issues. Would you be able to provide a sample curl command or similar for a request that is being blocked by the firewall?
Comment From: rwinch
@yangdong6 Please also provide a sample that reproduces the problem.
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: spring-projects-issues
Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.