春季启动:RequestRejectedException:请求被拒绝,因为URL包含潜在的恶意字符串“;". [英] Spring Boot: RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";"
问题描述
发布Spring Boot应用程序的登录凭据时,出现以下异常.
I get the following exception when I POST the login credentials for my Spring Boot app.
org.springframework.security.web.firewall.RequestRejectedException:请求被拒绝,因为URL包含潜在的恶意字符串;"
org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";"
它将发布到/dologin,然后重定向到/home,并在末尾附加jsessionid.它还会设置会话cookie.我没有更改任何会话设置,并且在application.properties中没有提及session.
It is posting to /dologin and then redirecting to /home with the jsessionid appended to the end. It does also set the session cookie too. I did not change any session settings and there is no mention of session in application.properties.
我尝试设置
server.servlet.session.cookie.http-only=true
server.servlet.session.tracking-modes=cookie
如 https://stackoverflow.com/a/31792535/148844 中所述,但这没有用
我添加了
@Bean
public ServletContextInitializer servletContextInitializer() {
return new ServletContextInitializer() {
@Override
public void onStartup(ServletContext servletContext) throws ServletException {
servletContext.setSessionTrackingModes(Collections.singleton(SessionTrackingMode.COOKIE));
SessionCookieConfig sessionCookieConfig=servletContext.getSessionCookieConfig();
sessionCookieConfig.setHttpOnly(true);
}
};
}
但是现在它只是POST,设置cookie,然后重定向回登录屏幕.好像无法访问该会话.
But now it just POSTs, sets the cookie, and redirects back to the login screen. It's as if it can't access the session.
我设置了server.session.tracking-modes=cookie(而不是server.servlet...),并且现在仅使用cookie,但是Chrome浏览器在登录后不会将cookie发送回服务器!如果会话中的user属性为null,则/home操作将仅重新显示登录页面.
I set server.session.tracking-modes=cookie (instead of server.servlet...) and it is only using cookies now, but the Chrome browser is not sending the cookie back to the server after login! /home action will only re-display the login page if user attribute in the session is null.
POST /dologin HTTP/1.1
Host: localhost:8080
Origin: http://localhost:8080
Upgrade-Insecure-Requests: 1
Referer: http://localhost:8080/home
HTTP/1.1 302
Set-Cookie: JSESSIONID=3B82AAA40CE94FF490FBF7B4DBD837DD; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Location: http://localhost:8080/home
GET /home HTTP/1.1
Host: localhost:8080
Upgrade-Insecure-Requests: 1
Referer: http://localhost:8080/home
HTTP/1.1 200
Set-Cookie: JSESSIONID=B60BF649068F7E85346691FD2F5D119B; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 2742
Date: Sat, 29 Sep 2018 17:41:55 GMT
注意cookie是否不同,Chrome是否没有将cookie发送回服务器?为什么?
Notice the cookies are different and Chrome did not send the cookie back to the server? Why?
Spring Boot 1.5.13,Chrome版本69.0.3497.100(官方内部版本)(64位)
Spring Boot 1.5.13, Chrome Version 69.0.3497.100 (Official Build) (64-bit)
推荐答案
可以,将server.servlet.session.cookie.http-only=true更改为server.session.tracking-modes=cookie,将http://localhost:8080更改为http://127.0.0.1:8080/可以.我找到了这个答案:
OK changing server.servlet.session.cookie.http-only=true to server.session.tracking-modes=cookie and changing http://localhost:8080 to http://127.0.0.1:8080/ worked. I found this answer:
Chrome浏览器似乎一直在从允许localhost变为禁止localhost.它工作大约一个月或三个月前. localhost正在为Rails应用程序工作,而Chrome正在发送cookie.
It seems Chrome keeps flipping from allowing localhost to disallowing localhost. It was working about a month or three ago. localhost is working for a Rails app and Chrome is sending the cookies.
实际上,Chrome还将localhost的_mt_rails_session Rails cookie发送到Spring Boot应用程序,但从未发送过JSESSIONID cookie.
In fact, Chrome is also sending the _mt_rails_session Rails cookie for localhost to the Spring Boot app, but never the JSESSIONID cookie.
我怀疑但尚未确认,这可能是由于在不相关的3rd Spring Boot应用程序的端口8080上设置了HTTPS所致,并且Chrome内部有可能缓存了一些HSTS设置.这可能是Chrome中的错误.
I suspect, but have not confirmed, it may be due to setting up HTTPS on port 8080 for an unrelated 3rd Spring Boot app, and there may be some HSTS setting cached in Chrome internals. It's probably a bug in Chrome.
这篇关于春季启动:RequestRejectedException:请求被拒绝,因为URL包含潜在的恶意字符串“;".的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
