Spring Security
  1. Spring Security
  2. SEC-1639

VirtualFilterChain.resetWrapper does not handle nested FilterChainProxy's

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Complete
    • Affects Version/s: 3.1.0.M1, 2.0.6, 3.0.5
    • Fix Version/s: 3.1.0.M2, 3.0.6, 2.0.7
    • Component/s: Web
    • Labels:
      None

      Description

      Since VirtualFilterChain.resetWrapper breaks on the first FirewalledRequest it doesn't handle nested FilterChainProxy's (i.e. new RequestWrapper(new RequestWrapper(originalRequest)) ). My current thought on fixing this is to pass in the actual FirewalledRequest into the constructor of the VirtualFilterChain and call reset on it. This would ensure the correct one gets called. It also eliminates the need for looping.

      A workaround is to place a Filter that calls the following reset method as the first filter for forwarded requests.

      public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException {
      while (request instanceof ServletRequestWrapper) {
      if (request instanceof FirewalledRequest)

      { ((FirewalledRequest)request).reset(); }

      request = ((ServletRequestWrapper)request).getRequest();
      }
      }

      Example Mapping

      <filter-mapping>
      <filter-name>fixSSFilter</filter-name>
      <url-pattern>/*</url-pattern>
      <dispatcher>FORWARD</dispatcher>
      </filter-mapping>

        Activity

        There are no comments yet on this issue.

          People

          • Assignee:
            Rob Winch
            Reporter:
            Rob Winch
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: