org.apache.shiro.web.filter

Class InvalidRequestFilter

java.lang.Object

org.apache.shiro.web.servlet.ServletContextSupport

org.apache.shiro.web.servlet.AbstractFilter

org.apache.shiro.web.servlet.NameableFilter

org.apache.shiro.web.servlet.OncePerRequestFilter

org.apache.shiro.web.servlet.AdviceFilter

org.apache.shiro.web.filter.PathMatchingFilter

org.apache.shiro.web.filter.AccessControlFilter

org.apache.shiro.web.filter.InvalidRequestFilter

All Implemented Interfaces:

javax.servlet.Filter, org.apache.shiro.util.Nameable, PathConfigProcessor

public class InvalidRequestFilter
extends AccessControlFilter

A request filter that blocks malicious requests. Invalid request will respond with a 400 response code.

This filter checks and blocks the request if the following characters are found in the request URI:

• Semicolon - can be disabled by setting blockSemicolon = false
• Backslash - can be disabled by setting blockBackslash = false
• Non-ASCII characters - can be disabled by setting blockNonAscii = false, the ability to disable this check will be removed in future version.
• Path traversals - can be disabled by setting blockTraversal = false

Since:

1.6

See Also:

This class was inspired by Spring Security StrictHttpFirewall

Field Summary

Fields inherited from class org.apache.shiro.web.filter.AccessControlFilter

DEFAULT_LOGIN_URL, GET_METHOD, POST_METHOD

Fields inherited from class org.apache.shiro.web.filter.PathMatchingFilter

appliedPaths, pathMatcher

Fields inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter

ALREADY_FILTERED_SUFFIX

Fields inherited from class org.apache.shiro.web.servlet.AbstractFilter

filterConfig

Constructor Summary

Constructors

Constructor and Description
InvalidRequestFilter()

Method Summary

Modifier and Type	Method and Description
protected boolean	isAccessAllowed(javax.servlet.ServletRequest req, javax.servlet.ServletResponse response, Object mappedValue) Returns true if the request is allowed to proceed through the filter normally, or false if the request should be handled by the onAccessDenied(request,response,mappedValue) method instead.
boolean	isBlockBackslash()
boolean	isBlockEncodedForwardSlash()
boolean	isBlockEncodedPeriod()
boolean	isBlockNonAscii()
boolean	isBlockRewriteTraversal()
boolean	isBlockSemicolon()
boolean	isBlockTraversal()
protected boolean	onAccessDenied(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response) Processes requests where the subject was denied access as determined by the isAccessAllowed method.
void	setBlockBackslash(boolean blockBackslash)
void	setBlockEncodedForwardSlash(boolean blockEncodedForwardSlash)
void	setBlockEncodedPeriod(boolean blockEncodedPeriod)
void	setBlockNonAscii(boolean blockNonAscii)
void	setBlockRewriteTraversal(boolean blockRewriteTraversal)
void	setBlockSemicolon(boolean blockSemicolon)
void	setBlockTraversal(boolean blockTraversal)

Methods inherited from class org.apache.shiro.web.filter.AccessControlFilter

getLoginUrl, getSubject, isLoginRequest, onAccessDenied, onPreHandle, redirectToLogin, saveRequest, saveRequestAndRedirectToLogin, setLoginUrl

Methods inherited from class org.apache.shiro.web.filter.PathMatchingFilter

getPathWithinApplication, isEnabled, pathsMatch, pathsMatch, preHandle, processPathConfig

Methods inherited from class org.apache.shiro.web.servlet.AdviceFilter

afterCompletion, cleanup, doFilterInternal, executeChain, postHandle

Methods inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter

doFilter, getAlreadyFilteredAttributeName, isEnabled, isEnabled, isFilterOncePerRequest, setEnabled, setFilterOncePerRequest, shouldNotFilter

Methods inherited from class org.apache.shiro.web.servlet.NameableFilter

getName, setName, toStringBuilder

Methods inherited from class org.apache.shiro.web.servlet.AbstractFilter

destroy, getFilterConfig, getInitParam, init, onFilterConfigSet, setFilterConfig

Methods inherited from class org.apache.shiro.web.servlet.ServletContextSupport

getContextAttribute, getContextInitParam, getServletContext, removeContextAttribute, setContextAttribute, setServletContext, toString

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail

InvalidRequestFilter

public InvalidRequestFilter()

Method Detail

isAccessAllowed

protected boolean isAccessAllowed(javax.servlet.ServletRequest req,
                                  javax.servlet.ServletResponse response,
                                  Object mappedValue)
                           throws Exception

Description copied from class: AccessControlFilter

Returns true if the request is allowed to proceed through the filter normally, or false if the request should be handled by the onAccessDenied(request,response,mappedValue) method instead.

Specified by:

isAccessAllowed in class AccessControlFilter

Parameters:

req - the incoming ServletRequest

response - the outgoing ServletResponse

mappedValue - the filter-specific config value mapped to this filter in the URL rules mappings.

Returns:

true if the request should proceed through the filter normally, false if the request should be processed by this filter's AccessControlFilter.onAccessDenied(ServletRequest,ServletResponse,Object) method instead.

Throws:

Exception - if an error occurs during processing.

onAccessDenied

protected boolean onAccessDenied(javax.servlet.ServletRequest request,
                                 javax.servlet.ServletResponse response)
                          throws Exception

Description copied from class: AccessControlFilter

Processes requests where the subject was denied access as determined by the isAccessAllowed method.

Specified by:

onAccessDenied in class AccessControlFilter

Parameters:

request - the incoming ServletRequest

response - the outgoing ServletResponse

Returns:

true if the request should continue to be processed; false if the subclass will handle/render the response directly.

Throws:

Exception - if there is an error processing the request.

isBlockSemicolon

public boolean isBlockSemicolon()

setBlockSemicolon

public void setBlockSemicolon(boolean blockSemicolon)

isBlockBackslash

public boolean isBlockBackslash()

setBlockBackslash

public void setBlockBackslash(boolean blockBackslash)

isBlockNonAscii

public boolean isBlockNonAscii()

setBlockNonAscii

public void setBlockNonAscii(boolean blockNonAscii)

isBlockTraversal

public boolean isBlockTraversal()

setBlockTraversal

public void setBlockTraversal(boolean blockTraversal)

isBlockEncodedPeriod

public boolean isBlockEncodedPeriod()

setBlockEncodedPeriod

public void setBlockEncodedPeriod(boolean blockEncodedPeriod)

isBlockEncodedForwardSlash

public boolean isBlockEncodedForwardSlash()

setBlockEncodedForwardSlash

public void setBlockEncodedForwardSlash(boolean blockEncodedForwardSlash)

isBlockRewriteTraversal

public boolean isBlockRewriteTraversal()

setBlockRewriteTraversal

public void setBlockRewriteTraversal(boolean blockRewriteTraversal)