Skip to content

Commit f34ea18

Browse files
rwinchrwinch
committed
RequestRejectedException is 400 by Default
Closes gh-7568
1 parent 0137f94 commit f34ea18

File tree

3 files changed

+17
-20
lines changed

3 files changed

+17
-20
lines changed

config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpFirewallTests.java

Lines changed: 7 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -33,8 +33,8 @@
3333
import org.springframework.security.web.firewall.RequestRejectedException;
3434
import org.springframework.test.web.servlet.MockMvc;
3535

36-
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
3736
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
37+
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
3838

3939
/**
4040
* Tests to verify that all the functionality of <http-firewall> attributes is
@@ -52,24 +52,21 @@ public class NamespaceHttpFirewallTests {
5252
MockMvc mvc;
5353

5454
@Test
55-
public void requestWhenPathContainsDoubleDotsThenBehaviorMatchesNamespace() {
55+
public void requestWhenPathContainsDoubleDotsThenBehaviorMatchesNamespace() throws Exception {
5656
this.rule.register(HttpFirewallConfig.class).autowire();
57-
assertThatExceptionOfType(RequestRejectedException.class)
58-
.isThrownBy(() -> this.mvc.perform(get("/public/../private/")));
57+
this.mvc.perform(get("/public/../private/")).andExpect(status().isBadRequest());
5958
}
6059

6160
@Test
62-
public void requestWithCustomFirewallThenBehaviorMatchesNamespace() {
61+
public void requestWithCustomFirewallThenBehaviorMatchesNamespace() throws Exception {
6362
this.rule.register(CustomHttpFirewallConfig.class).autowire();
64-
assertThatExceptionOfType(RequestRejectedException.class)
65-
.isThrownBy(() -> this.mvc.perform(get("/").param("deny", "true")));
63+
this.mvc.perform(get("/").param("deny", "true")).andExpect(status().isBadRequest());
6664
}
6765

6866
@Test
69-
public void requestWithCustomFirewallBeanThenBehaviorMatchesNamespace() {
67+
public void requestWithCustomFirewallBeanThenBehaviorMatchesNamespace() throws Exception {
7068
this.rule.register(CustomHttpFirewallBeanConfig.class).autowire();
71-
assertThatExceptionOfType(RequestRejectedException.class)
72-
.isThrownBy(() -> this.mvc.perform(get("/").param("deny", "true")));
69+
this.mvc.perform(get("/").param("deny", "true")).andExpect(status().isBadRequest());
7370
}
7471

7572
@EnableWebSecurity

itest/context/src/integration-test/java/org/springframework/security/integration/HttpPathParameterStrippingTests.java

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@
2121
import org.junit.jupiter.api.extension.ExtendWith;
2222

2323
import org.springframework.beans.factory.annotation.Autowired;
24+
import org.springframework.http.HttpStatus;
2425
import org.springframework.mock.web.MockFilterChain;
2526
import org.springframework.mock.web.MockHttpServletRequest;
2627
import org.springframework.mock.web.MockHttpServletResponse;
@@ -29,11 +30,10 @@
2930
import org.springframework.security.core.context.SecurityContextHolder;
3031
import org.springframework.security.web.FilterChainProxy;
3132
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
32-
import org.springframework.security.web.firewall.RequestRejectedException;
3333
import org.springframework.test.context.ContextConfiguration;
3434
import org.springframework.test.context.junit.jupiter.SpringExtension;
3535

36-
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
36+
import static org.assertj.core.api.Assertions.assertThat;
3737

3838
@ContextConfiguration(locations = { "/http-path-param-stripping-app-context.xml" })
3939
@ExtendWith(SpringExtension.class)
@@ -48,8 +48,8 @@ public void securedFilterChainCannotBeBypassedByAddingPathParameters() throws Ex
4848
request.setPathInfo("/secured;x=y/admin.html");
4949
request.setSession(createAuthenticatedSession("ROLE_USER"));
5050
MockHttpServletResponse response = new MockHttpServletResponse();
51-
assertThatExceptionOfType(RequestRejectedException.class)
52-
.isThrownBy(() -> this.fcp.doFilter(request, response, new MockFilterChain()));
51+
this.fcp.doFilter(request, response, new MockFilterChain());
52+
assertThat(response.getStatus()).isEqualTo(HttpStatus.BAD_REQUEST.value());
5353
}
5454

5555
@Test
@@ -58,8 +58,8 @@ public void adminFilePatternCannotBeBypassedByAddingPathParameters() throws Exce
5858
request.setServletPath("/secured/admin.html;x=user.html");
5959
request.setSession(createAuthenticatedSession("ROLE_USER"));
6060
MockHttpServletResponse response = new MockHttpServletResponse();
61-
assertThatExceptionOfType(RequestRejectedException.class)
62-
.isThrownBy(() -> this.fcp.doFilter(request, response, new MockFilterChain()));
61+
this.fcp.doFilter(request, response, new MockFilterChain());
62+
assertThat(response.getStatus()).isEqualTo(HttpStatus.BAD_REQUEST.value());
6363
}
6464

6565
@Test
@@ -69,8 +69,8 @@ public void adminFilePatternCannotBeBypassedByAddingPathParametersWithPathInfo()
6969
request.setPathInfo("/admin.html;x=user.html");
7070
request.setSession(createAuthenticatedSession("ROLE_USER"));
7171
MockHttpServletResponse response = new MockHttpServletResponse();
72-
assertThatExceptionOfType(RequestRejectedException.class)
73-
.isThrownBy(() -> this.fcp.doFilter(request, response, new MockFilterChain()));
72+
this.fcp.doFilter(request, response, new MockFilterChain());
73+
assertThat(response.getStatus()).isEqualTo(HttpStatus.BAD_REQUEST.value());
7474
}
7575

7676
public HttpSession createAuthenticatedSession(String... roles) {

web/src/main/java/org/springframework/security/web/FilterChainProxy.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -33,9 +33,9 @@
3333

3434
import org.springframework.core.log.LogMessage;
3535
import org.springframework.security.core.context.SecurityContextHolder;
36-
import org.springframework.security.web.firewall.DefaultRequestRejectedHandler;
3736
import org.springframework.security.web.firewall.FirewalledRequest;
3837
import org.springframework.security.web.firewall.HttpFirewall;
38+
import org.springframework.security.web.firewall.HttpStatusRequestRejectedHandler;
3939
import org.springframework.security.web.firewall.RequestRejectedException;
4040
import org.springframework.security.web.firewall.RequestRejectedHandler;
4141
import org.springframework.security.web.firewall.StrictHttpFirewall;
@@ -151,7 +151,7 @@ public class FilterChainProxy extends GenericFilterBean {
151151

152152
private HttpFirewall firewall = new StrictHttpFirewall();
153153

154-
private RequestRejectedHandler requestRejectedHandler = new DefaultRequestRejectedHandler();
154+
private RequestRejectedHandler requestRejectedHandler = new HttpStatusRequestRejectedHandler();
155155

156156
public FilterChainProxy() {
157157
}

0 commit comments

Comments
 (0)