SEC-1608: FirewalledRequest.reset() is not called for a resource with no filters #1848

spring-issuemaster opened this Issue Nov 2, 2010 · 2 comments

1 participant


Migrated from SEC-1608


Luke Taylor said:

Added call to reset() before invoking the filter chain.


Andrei Stefan said:

Two potential workarounds:

1) Use anonymous attributes for the unsecured resources instead of filters="none"
2) Add a filter after the security filters with the following doFIlter method:

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {

while (request instanceof ServletRequestWrapper) {
if (request instanceof FirewalledRequest) { ((FirewalledRequest)request).reset(); break; }
request = ((ServletRequestWrapper)request).getRequest();

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment