Background of the problem
When a user accesses a specific connection (e.g. http://localhost/index
) without permissions, they are redirected to the login page http://localhost/login
.
In order to redirect to the target access page http://localhost/index
after a successful login, Spring Security stores a message in the cookie, marked as a jsessionid.
When redirected the Servlet container, i.e. tomcat or something like that will add the jsessionid to the back of the redirected url. Something like this: http://localhost/login;jsessionid=xxxxxxxxxx
.
This request will be intercepted by Spring Security’s StrictHttpFirewall
and throw an exception: The request was rejected because the URL contained a potentially malicious String ";"
.
Security Policy
OWASP states that exposing jsessionid
in a URL is a very dangerous move that can lead to session fixation attacks, so the above behavior is not recommended.
Solution
There are currently two solutions.
Allow url to carry jsessionid
If browser cookies are disabled or your application can tolerate the above security vulnerability, then you can take this approach in Spring Security.
Modifying the session mechanism of the servlet container
Configure Tomcat’s trace mode in Spring Boot.
|
|
Reference https://blog.csdn.net/qq_35067322/article/details/124727458