-
Notifications
You must be signed in to change notification settings - Fork 38.5k
ForwardedHeaderFilter does not respect Servlet forwarding [SPR-16983] #21521
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
Rossen Stoyanchev commented Can you provide the details of the initial request, i.e. URI and headers, before the ForwadedHeaderFilter? |
Eric Sirianni commented
The issue is that the |
Alfred Staflinger commented Please increase the priority of this error, because it is a serious problem if |
Rossen Stoyanchev commented Sorry for the delay. I'll look into this right away. |
johann-sonntagbauer commented Some additional information. Deployed Spring WebMVC 5.1 on Tomcat 9.0.11 with ForwardedHeaderFilter.
The // Set the 403 status code.
response.setStatus(HttpStatus.FORBIDDEN.value());
// forward to error page.
RequestDispatcher dispatcher = request.getRequestDispatcher(errorPage);
dispatcher.forward(request, response);
During the forward the Request gets wrapped in There the logic is very complicated and some crazy stuff is going on. But at the end ((ServletRequestWrapper) previous).setRequest(wrapper); previous is in that case the So maybe overriding
Hope this helps somehow with the analysis. Stack trace
wrapRequest:925, ApplicationDispatcher (org.apache.catalina.core)
doForward:358, ApplicationDispatcher (org.apache.catalina.core)
forward:312, ApplicationDispatcher (org.apache.catalina.core)
handle:73, AccessDeniedHandlerImpl (org.springframework.security.web.access)
handle:40, AccessDeniedHandler (com.infoniqa.common.authorization.web)
handleSpringSecurityException:199, ExceptionTranslationFilter (org.springframework.security.web.access)
doFilter:141, ExceptionTranslationFilter (org.springframework.security.web.access)
doFilter:334, FilterChainProxy$VirtualFilterChain (org.springframework.security.web)
doFilter:137, SessionManagementFilter (org.springframework.security.web.session)
....
doFilterInternal:156, ForwardedHeaderFilter (org.springframework.web.filter)
doFilter:107, OncePerRequestFilter (org.springframework.web.filter)
internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core)
doFilter:166, ApplicationFilterChain (org.apache.catalina.core)
doFilter:71, Log4jServletFilter (org.apache.logging.log4j.web)
internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core)
doFilter:166, ApplicationFilterChain (org.apache.catalina.core)
invoke:199, StandardWrapperValve (org.apache.catalina.core)
invoke:96, StandardContextValve (org.apache.catalina.core)
invoke:490, AuthenticatorBase (org.apache.catalina.authenticator)
invoke:139, StandardHostValve (org.apache.catalina.core)
invoke:92, ErrorReportValve (org.apache.catalina.valves)
invoke:668, AbstractAccessLogValve (org.apache.catalina.valves)
invoke:74, StandardEngineValve (org.apache.catalina.core)
service:343, CoyoteAdapter (org.apache.catalina.connector)
service:408, Http11Processor (org.apache.coyote.http11)
process:66, AbstractProcessorLight (org.apache.coyote)
process:770, AbstractProtocol$ConnectionHandler (org.apache.coyote)
doRun:1415, NioEndpoint$SocketProcessor (org.apache.tomcat.util.net)
run:49, SocketProcessorBase (org.apache.tomcat.util.net)
runWorker:1128, ThreadPoolExecutor (java.util.concurrent)
run:628, ThreadPoolExecutor$Worker (java.util.concurrent)
run:61, TaskThread$WrappingRunnable (org.apache.tomcat.util.threads)
run:834, Thread (java.lang)
|
johann-sonntagbauer commented Rossen Stoyanchev Thank you very much. Please let me know if you need additional information. |
Rossen Stoyanchev commented
Yes I was considering something similar to Tomcat, or Jetty for that matter which mutates the underlying request, but that's more complicated that it needs to be. I'll experiment with the way Tomcat's RemoteItFilter allows dynamic recalculatation of the requestURL. |
Rossen Stoyanchev commented There is a fix now in master (snapshot build running). It would be great to confirm it works in applications that were affected. |
johann-sonntagbauer commented That is great news! I will verify the snapshot build tomorrow. Thank you very much for your effort and the immediate action. |
johann-sonntagbauer commented Rossen Stoyanchev I am currently testing the SNAPSHOT 5.1.2 build and it looks promising so far. The main problem is solved as far as I can tell. |
Rossen Stoyanchev commented Thanks for checking. |
Uh oh!
There was an error while loading. Please reload this page.
Eric Sirianni opened SPR-16983 and commented
ForwardedHeaderFilter
captures therequestUri
on initial request (e.g./foo
). That request URI can be altered due to a server-side forward - for example:When the request is re-dispatched, code calling
HttpServletRequest.getRequestURI()
receives the old value (e.g./foo
) instead of the new value (e.g./bar
). Even if the filter is registered withDispatcherType.FORWARD
, the issue remains that the filter implementsOncePerRequestFilter
.Affects: 5.0.7
Issue Links:
Referenced from: commits feeec34
2 votes, 4 watchers
The text was updated successfully, but these errors were encountered: