I got the following error with my Spring Boot application:
org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the header value "Mozilla/5.0 (Windows NT 10.0; ГўВЂВ¦) Gecko/20100101 Firefox/73.0" is not allowed.
at org.springframework.security.web.firewall.StrictHttpFirewall$StrictFirewalledRequest.validateAllowedHeaderValue(StrictHttpFirewall.java:833) ~[spring-security-web-6.0.3.jar!/:6.0.3]
at org.springframework.security.web.firewall.StrictHttpFirewall$StrictFirewalledRequest.getHeader(StrictHttpFirewall.java:716) ~[spring-security-web-6.0.3.jar!/:6.0.3]
at jakarta.servlet.http.HttpServletRequestWrapper.getHeader(HttpServletRequestWrapper.java:82) ~[tomcat-embed-core-10.1.8.jar!/:na]
at jakarta.servlet.http.HttpServletRequestWrapper.getHeader(HttpServletRequestWrapper.java:82) ~[tomcat-embed-core-10.1.8.jar!/:na]
at jakarta.servlet.http.HttpServletRequestWrapper.getHeader(HttpServletRequestWrapper.java:82) ~[tomcat-embed-core-10.1.8.jar!/:na]
at jakarta.servlet.http.HttpServletRequestWrapper.getHeader(HttpServletRequestWrapper.java:82) ~[tomcat-embed-core-10.1.8.jar!/:na]
How to configure Spring Security in order to avoid such errors?
The default HttpFirewall
is StrictHttpFirewall
which will by default reject header value that contains ISO control characters and character that are not defined :
You can try to configure the HttpFirewall
to accept more relax header values by setting the corresponding predicate that satisfy your need by:
public class Config extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) throws Exception {
StrictHttpFirewall firewall = new StrictHttpFirewall();
//configure it the to Predicate that satisfy your need...
firewall.setAllowedHeaderValues(xxxxx)
web.httpFirewall(firewall);
}
}