When using Spring Security, requests are unexpectedly blocked by StrictHttpFirewall. As soon as a request contains an ß Ä Ö Ü etc. in the header the request is blocked.

curl http://localhost:8080/headers -H "name: Preuß" <-- error

Stacktrace:

org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the header value "Preuß" is not allowed. at org.springframework.security.web.firewall.StrictHttpFirewall$StrictFirewalledRequest.validateAllowedHeaderValue(StrictHttpFirewall.java:833) ~[spring-security-web-5.7.4.jar:5.7.4] at org.springframework.security.web.firewall.StrictHttpFirewall$StrictFirewalledRequest.getHeader(StrictHttpFirewall.java:716) ~[spring-security-web-5.7.4.jar:5.7.4]

If the request contains an ä ö ü in the header it will not be blocked. As soon as a request contains an ß or capitalized umlauts the request is blocked.

So why are requests with ß Ä Ö Ü blocked? Is this a bug?

I have uploaded a minimal example at the following link: https://github.com/clude86/strict-firewall-block-request-minimal-reproducible-example

Versions Spring-boot-starter: 2.7.5

Steps to reproduce:

  • Start Spring boot application
  • Send a curl to the rest api

curl http://localhost:8080/headers -H "name: Preuß" <-- error curl http://localhost:8080/headers -H "name: PreuÄ" <-- error curl http://localhost:8080/headers -H "name: Preuä" <-- ok ! But Ä not? curl http://localhost:8080/headers -H "name: PreuÖ" <-- error curl http://localhost:8080/headers -H "name: Preuö" <-- ok ! But Ö not?

Comment From: jzheaux

Duplicate of https://github.com/spring-projects/spring-security/issues/9037. Specifically, please see https://github.com/spring-projects/spring-security/issues/9037#issuecomment-698624312 for an explanation and https://github.com/spring-projects/spring-security/issues/9037#issuecomment-701709801 for a configuration that may help.

Comment From: clude86

@jzheaux I don't really understand the duplicate. With my message the question is why a small ä is accepted and a large Ä is rejected?

If we look at the RFC for HTTP headers, only US-ASCII codes are allowed.

So why is an "ä" allowed and an "Ä" not? This makes little sense to me. Either "ä" and "Ä" are rejected or both are accepted.