Spring Security
  1. Spring Security
  2. SEC-1606

FirewalledRequest.reset() not called when Filters in the FilterChainProxy do not complete the FilterChain

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Complete
    • Affects Version/s: 3.0.4, 2.0.6, 3.1.0.M2
    • Fix Version/s: 3.0.5, 3.1.0.M2, 2.0.7
    • Component/s: Web
    • Labels:
      None

      Description

      When the FilterChain is not completed within FilterChainProxy, FirewalledRequest.reset() is not called. This can cause the wrong pathInfo and servletPath to be exposed when a forward or include is performed within the FilterChainProxy's filters and using DefaultHttpFirewall. The reason is because the pathInfo and the servletPath are still cached from the original request and reset was never called.

      The following configuration will demonstrate the issue. When an invalid username/password is submitted, the request is forwarded to /login.jsp?login_error=1. However, when the JspServlet attempts to process the URL it sees the HttpServeltRequest.servletPath as RequestWrapper.strippedServletPath (/j_spring_security_check) instead of the new servletPath /login.jsp.

      <http auto-config="true">
      <intercept-url pattern="/admin/secure.jsp" access="ROLE_ADMIN"/>
      <form-login login-page="/login.jsp" authentication-failure-handler-ref="afh"/>
      </http>
      <b:bean id="afh" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
      p:defaultFailureUrl="/login.jsp?login_error=1"
      p:useForward="true"/>
      <authentication-manager>
      <authentication-provider>
      <user-service>
      <user name="un" password="pwd" authorities="ROLE_ADMIN"/>
      </user-service>
      </authentication-provider>
      </authentication-manager>

      I have not yet validated this occurs in 3.1.0.M2 but marked it as impacted to ensure it at least gets looked at.

        Issue Links

          Activity

          Hide
          Rob Winch added a comment -

          For record keeping purposes. Anyone that is forwarding using ServletContext can provide their own implementation of the HttpFirewall or switch to using the HttpServletRequest to obtain the RequestDispatcher.

          Show
          Rob Winch added a comment - For record keeping purposes. Anyone that is forwarding using ServletContext can provide their own implementation of the HttpFirewall or switch to using the HttpServletRequest to obtain the RequestDispatcher.
          Hide
          Rob Winch added a comment -

          For those experiencing this issue, a variation of the fix that was submitted can be applied to 3.0.4.RELEASE using the following.

          <?xml version="1.0" encoding="UTF-8"?>
          <b:beans xmlns:b="http://www.springframework.org/schema/beans"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xmlns="http://www.springframework.org/schema/security"
          xmlns="http://www.springframework.org/schema/p"
          xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.4.xsd
          http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">

          <http-firewall ref="firewall"/>
          <b:bean id="firewall" class="example.RequestDispatcherAwareHttpFirewall"/>
          ...
          </beans>

          Show
          Rob Winch added a comment - For those experiencing this issue, a variation of the fix that was submitted can be applied to 3.0.4.RELEASE using the following. <?xml version="1.0" encoding="UTF-8"?> <b:beans xmlns:b="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/security" xmlns ="http://www.springframework.org/schema/p" xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.4.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd "> <http-firewall ref="firewall"/> <b:bean id="firewall" class="example.RequestDispatcherAwareHttpFirewall"/> ... </beans>
          Hide
          Stéphane Nicoll added a comment -

          The fix attached to this issue has two issues:

          1. The imports on spring security are wrong, it's missing a web
          2. It does not fix the problem with filter="none"
          Show
          Stéphane Nicoll added a comment - The fix attached to this issue has two issues: The imports on spring security are wrong, it's missing a web It does not fix the problem with filter="none"
          Hide
          Rob Winch added a comment -

          Thank you for your feedback.

          > The imports on spring security are wrong, it's missing a web

          Can you elaborate on what you mean by this?

          > It does not fix the problem with filter="none"

          You are correct and it does not attempt to. This is logged as a separate issue (SEC-1608)

          Show
          Rob Winch added a comment - Thank you for your feedback. > The imports on spring security are wrong, it's missing a web Can you elaborate on what you mean by this? > It does not fix the problem with filter="none" You are correct and it does not attempt to. This is logged as a separate issue ( SEC-1608 )
          Hide
          Stéphane Nicoll added a comment -

          Rob,

          Your patch is built against Spring Security 2.0.x. I use 3.0.x. In 3.0.x, these classes are in org.springframework.security.web.firewall

          No biggie. For the separated issue, thanks. I can see the support has added a comment with the workarounds.

          Show
          Stéphane Nicoll added a comment - Rob, Your patch is built against Spring Security 2.0.x. I use 3.0.x. In 3.0.x, these classes are in org.springframework.security.web.firewall No biggie. For the separated issue, thanks. I can see the support has added a comment with the workarounds.

            People

            • Assignee:
              Rob Winch
              Reporter:
              Rob Winch
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: