The error message designates that a request was rejected by the Spring Security firewall because the URL contained a potentially malicious string "//"
or "/***/"
.
It looks like the StrictHttpFirewall
class in Spring Security is responsible for detecting and rejecting potentially malicious URLs. In this case, it is likely configured to reject any URLs containing "//"
due to security concerns. This behavior is intended to protect the application from various attacks, such as path traversal or injection attacks.
Let’s consider an example to illustrate this error. Suppose you have a web application where users can view profile pages. The profile page URLs are structured like this: http://myWebApp.com/profile/{username}
.
Now, imagine a malicious user tries to manipulate the URL by appending "//"
to it like this: http://
.The Spring Security firewall, specifically the myWebApp
.com/profile//{username}StrictHttpFirewall
, is configured to detect and block potentially malicious URLs. When it encounters the manipulated URL with "//"
, it raises a RequestRejectedException
because it considers this pattern as suspicious and possibly indicative of an attempted attack.
To resolve this issue, you may need to review the request that triggered this error and ensure that it does not contain any malicious strings. Additionally, you might need to adjust the configuration of the StrictHttpFirewall
to allow certain URLs if they are legitimate in your application.
Posted inBlog