Package org.apache.shiro.web.filter
Class InvalidRequestFilter
- java.lang.Object
-
- All Implemented Interfaces:
Filter
,Nameable
,PathConfigProcessor
public class InvalidRequestFilter extends AccessControlFilter
A request filter that blocks malicious requests. Invalid request will respond with a 400 response code.This filter checks and blocks the request if the following characters are found in the request URI:
- Semicolon - can be disabled by setting
blockSemicolon = false
- Backslash - can be disabled by setting
blockBackslash = false
- Non-ASCII characters - can be disabled by setting
blockNonAscii = false
, the ability to disable this check will be removed in future version.
- Since:
- 1.6
- See Also:
- This class was inspired by Spring Security StrictHttpFirewall
-
-
Field Summary
-
Fields inherited from class org.apache.shiro.web.filter.AccessControlFilter
DEFAULT_LOGIN_URL, GET_METHOD, POST_METHOD
-
Fields inherited from class org.apache.shiro.web.filter.PathMatchingFilter
appliedPaths, pathMatcher
-
Fields inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
ALREADY_FILTERED_SUFFIX
-
Fields inherited from class org.apache.shiro.web.servlet.AbstractFilter
filterConfig
-
-
Constructor Summary
Constructors Constructor Description InvalidRequestFilter()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected boolean
isAccessAllowed(ServletRequest req, ServletResponse response, Object mappedValue)
Returnstrue
if the request is allowed to proceed through the filter normally, orfalse
if the request should be handled by theonAccessDenied(request,response,mappedValue)
method instead.boolean
isBlockBackslash()
boolean
isBlockNonAscii()
boolean
isBlockSemicolon()
protected boolean
onAccessDenied(ServletRequest request, ServletResponse response)
Processes requests where the subject was denied access as determined by theisAccessAllowed
method.void
setBlockBackslash(boolean blockBackslash)
void
setBlockNonAscii(boolean blockNonAscii)
void
setBlockSemicolon(boolean blockSemicolon)
-
Methods inherited from class org.apache.shiro.web.filter.AccessControlFilter
getLoginUrl, getSubject, isLoginRequest, onAccessDenied, onPreHandle, redirectToLogin, saveRequest, saveRequestAndRedirectToLogin, setLoginUrl
-
Methods inherited from class org.apache.shiro.web.filter.PathMatchingFilter
getPathWithinApplication, isEnabled, pathsMatch, pathsMatch, preHandle, processPathConfig
-
Methods inherited from class org.apache.shiro.web.servlet.AdviceFilter
afterCompletion, cleanup, doFilterInternal, executeChain, postHandle
-
Methods inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
doFilter, getAlreadyFilteredAttributeName, isEnabled, isEnabled, isFilterOncePerRequest, setEnabled, setFilterOncePerRequest, shouldNotFilter
-
Methods inherited from class org.apache.shiro.web.servlet.NameableFilter
getName, setName, toStringBuilder
-
Methods inherited from class org.apache.shiro.web.servlet.AbstractFilter
destroy, getFilterConfig, getInitParam, init, onFilterConfigSet, setFilterConfig
-
Methods inherited from class org.apache.shiro.web.servlet.ServletContextSupport
getContextAttribute, getContextInitParam, getServletContext, removeContextAttribute, setContextAttribute, setServletContext, toString
-
-
-
-
Constructor Detail
-
InvalidRequestFilter
public InvalidRequestFilter()
-
-
Method Detail
-
isAccessAllowed
protected boolean isAccessAllowed(ServletRequest req, ServletResponse response, Object mappedValue) throws Exception
Description copied from class:AccessControlFilter
Returnstrue
if the request is allowed to proceed through the filter normally, orfalse
if the request should be handled by theonAccessDenied(request,response,mappedValue)
method instead.- Specified by:
isAccessAllowed
in classAccessControlFilter
- Parameters:
req
- the incomingServletRequest
response
- the outgoingServletResponse
mappedValue
- the filter-specific config value mapped to this filter in the URL rules mappings.- Returns:
true
if the request should proceed through the filter normally,false
if the request should be processed by this filter'sAccessControlFilter.onAccessDenied(ServletRequest,ServletResponse,Object)
method instead.- Throws:
Exception
- if an error occurs during processing.
-
onAccessDenied
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception
Description copied from class:AccessControlFilter
Processes requests where the subject was denied access as determined by theisAccessAllowed
method.- Specified by:
onAccessDenied
in classAccessControlFilter
- Parameters:
request
- the incomingServletRequest
response
- the outgoingServletResponse
- Returns:
true
if the request should continue to be processed; false if the subclass will handle/render the response directly.- Throws:
Exception
- if there is an error processing the request.
-
isBlockSemicolon
public boolean isBlockSemicolon()
-
setBlockSemicolon
public void setBlockSemicolon(boolean blockSemicolon)
-
isBlockBackslash
public boolean isBlockBackslash()
-
setBlockBackslash
public void setBlockBackslash(boolean blockBackslash)
-
isBlockNonAscii
public boolean isBlockNonAscii()
-
setBlockNonAscii
public void setBlockNonAscii(boolean blockNonAscii)
-
-