Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1608: FirewalledRequest.reset() is not called for a resource with no filters #1848

Closed
spring-issuemaster opened this Issue Nov 2, 2010 · 2 comments

Comments

Projects
None yet
1 participant

Migrated from SEC-1608

Luke Taylor said:

Added call to reset() before invoking the filter chain.

Andrei Stefan said:

Two potential workarounds:

  1. Use anonymous attributes for the unsecured resources instead of filters="none"
  2. Add a filter after the security filters with the following doFIlter method:

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {

while (request instanceof ServletRequestWrapper) {
if (request instanceof FirewalledRequest) { ((FirewalledRequest)request).reset(); break; }
request = ((ServletRequestWrapper)request).getRequest();
}
}

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M2 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment