Provide a way to handle RequestRejectedException

[mario-philipps-icw]

Summary

With Spring Security 4.2.4 used in a Spring Boot application, accessing a "non-normalized" URI, e.g. one containing a double //, will cause an HTTP 500.

Actual Behavior

Access to a URI containing a double // causes an HTTP 500 response.

Expected Behavior

Access to such a URI causes some HTTP 4xx response, e.g. 400, 403 or 404. I'd expect that, because it's the client who has to change the request.

Version

Affected version is Spring Security 4.2.4.

Comment

I did some research in the code, and it looks as if the exception thrown in

spring-security/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java

Line 123 in 1517e9b

throw new RequestRejectedException("The request was rejected because the URL was not normalized.");

will finally be caught by the Tomcat embedded in our Spring Boot application, turning it into the HTTP 500.

[hth]

Cannot use Spring Security greater than 5.0.0. Unless fixed, all releases past 5.0.0 are moot

[rwinch]

We will look into this for 5.1. In the meantime, you can handle this by handling the exception (you should be doing this anyways).

Handle the Exception

Spring Boot

For example, with Spring Boot add ErrorPageRegistrar:

@Bean
public static ErrorPageRegistrar securityErrorPageRegistrar() {
    return registry -> registry.addErrorPages(new ErrorPage(RequestRejectedException.class, "/errors/400"));
}

@Controller
public class SecurityErrorController {
	@ResponseStatus(HttpStatus.BAD_REQUEST)
	@RequestMapping("/errors/400")
	String error(RequestRejectedException e) {
		return "errors/400";
	}
}

src/main/java/resources/templates/errors/400.html

<html>
<head>
<title>Bad Request</title>
</head>
<body>
<h1>Bad Request</h1>
</body>
</html>

NOTE: Ensure the error page is public (i.e. permitAll) so that unauthenticated users are able to view the error page.

Servlet Container

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
  ...
  
  <error-page>
  <exception-type>org.springframework.security.web.firewall.RequestRejectedException</exception-type>
  <location>/errors/400</location>
  </error-page>
</web-app>

Ensure you add a URL mapping for /errors/400 which sets the status and renders the response you want.

NOTE: Ensure the error page is public (i.e. permitAll) so that unauthenticated users are able to view the error page.

Customizing HttpFirewall

You can also revert to the previous HttpFirewall or customize the StrictHttpFirewall by exposing a bean. Of course this is not recommended as it can lead to exploits.

[hth]

I would recommend including #5044 with this issue

[Glamdring]

@rwinch I tried those but they still result in an unwanted stacktrace in the log, because the exception is happening outside the normal exception handling flow. Looking at the stacktrace, it is not caught anywhere and so can't be processed by exception or error page handlers

[Glamdring]

For anyone trying to get rid of the stacktrace and is running undertow:

@Bean
public UndertowServletWebServerFactory embeddedServletContainerFactory() {
    UndertowServletWebServerFactory factory = new UndertowServletWebServerFactory();
    factory.addDeploymentInfoCustomizers(new UndertowDeploymentInfoCustomizer() {
        @Override
        public void customize(DeploymentInfo deploymentInfo) {
            deploymentInfo.setExceptionHandler(new ExceptionHandler() {
                @Override
                public boolean handleThrowable(HttpServerExchange exchange, ServletRequest request,
                                               ServletResponse response, Throwable throwable) {
                    if (throwable instanceof RequestRejectedException) {
                        ((HttpServletResponse) response).setStatus(HttpServletResponse.SC_BAD_REQUEST);
                        logger.warn("Request rejected due to: {} for URI {}", throwable.getMessage(),
                                ((HttpServletRequest) request).getRequestURI());
                        return true;
                    }
                    return false;
                }
            });
        }
    });
}

[gionn]

Thanks to this new feature I discovered that Jetty was returning HTML errors for exception thrown outside of spring MVC.

To handle this RequestRejectedException I did:

        contextHandler.setErrorHandler( new JsonErrorHandler() );

and in JsonErrorHandler

public class JsonErrorHandler extends ErrorHandler
{
    private final ObjectMapper mapper = new ObjectMapper();

    @Override
    protected void generateAcceptableResponse( Request baseRequest, HttpServletRequest request,
            HttpServletResponse response, int code, String message, String mimeType ) throws IOException
    {
        response.setStatus( 400 );
        baseRequest.setHandled( true );
        Writer writer = getAcceptableWriter( baseRequest, request, response );
        if ( writer != null )
        {
            response.setContentType( MimeTypes.Type.APPLICATION_JSON.asString() );
            Throwable th = (Throwable) request.getAttribute( RequestDispatcher.ERROR_EXCEPTION );
            writer.write( getPayload( th ) );
        }
    }

getPayload should return a JSON string describing the error.