You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The addition of the ;jsessionid=... path parameter is a normal and (usually) desirable part of the standard URL Rewriting mechanism in Java web applications. The idea is that, when an application has already expressed its need to create a user Session, the ID for such user session has to be passed along to the browser somehow. And until the browser demonstrates that it has the capability of using (and permission to use) cookies by means of an HTTP header in the following request after receiving that jsessionid, the ;jsessionid=... path parameter is how this is done in most Java Servlet-based web servers like e.g. Tomcat.
As for the reasons this is warned by Spring Security, well, I'm not sure why the jsessionid, being a standard, is not dealt with in a specific fashion, but I guess if this was intentional you'll have to configure your application at the Tomcat context level to disable URL rewriting. Note that Thymeleaf does not add this path parameter explicitly, it only asks the Servlet API "hey response, rewrite this URL if needed", and then an implementation for URL rewriting provided by Tomcat, Spring, or else, is executed.
hello, I think I have a similar proble.My English is not very good. Please read the error log below: Caused by: java.io.FileNotFoundException: Could not open ServletContext resource [/WEB- INF/views/common/head;jsessionid=2C3A05E1E2DA86C5A86BE309BBD31AA3.html] at org.springframework.web.context.support.ServletContextResource.getInputStream(ServletContextResource.java:141) at org.thymeleaf.spring4.templateresource.SpringResourceTemplateResource.reader(SpringResourceTemplateResource.java:103) at org.thymeleaf.templateparser.markup.AbstractMarkupTemplateParser.parse(AbstractMarkupTemplateParser.java:223)
My themleaf template code: <div th:replace="@{common/head}::head"></div>
Hello,
We lately get a lot of errors in our logs from the spring security firewall which was changed to a stricter version:
https://spring.io/blog/2018/01/30/cve-2018-1199-spring-security-5-0-1-4-2-4-4-1-5-released
We use the data-th-src attribute like this:
<script src="/js/ours.js" data-th-src="@{/js/ours.js?v='+${application.version}}"></script>
The error we get from spring firewall:
The request was rejected because the URL contained a potentially malicious String ";"
URL:
/js/ours.js;jsessionid=EE4E97D412B0487F34AAD17A522E2351?v=1.0
Thymeleaf version: v3.0.9 RELEASE
Spring security version: v4.2.4 RELEASE
Spring: v4.3.14 RELEASE
The text was updated successfully, but these errors were encountered: