Skip to content

Security-related HTTP headers not written if response is committed during INCLUDE dispatch and RequestDispatcher is not obtained via HttpServletRequest object #6414

@mjagus

Description

@mjagus

Summary

In #5499 a bug was fixed which caused security-related headers to not appear in HTTP response if that response was commited during INCLUDE dispatch. The solution was to wrap both HttpServletRequest and RequestDispatcher object in order to intercept RequestDispatcher::include call. That fix doesn't work if RequestDispatcher is obtained via some other means than HttpServletRequest::getRequestDispatcher method.

In my particular case it's the SiteMesh 2.x servlet filter that obtains dispatcher via ServletContext::getRequestDispatcher and then calls include method on it. The returned dispatcher is unfortunately not a wrapper created by HeaderWriterFilter which means that no security headers are added to HTTP response.

Actual Behavior

Assuming that security-related headers are enabled in spring-security:

  1. HeaderWriterFilter is invoked and both request and response objects are wrapped.
  2. After that some 3rd party library calls RequestDispatcher::include on dispatcher obtained via some other means than HttpServletRequest::getRequestDispatcher method.
  3. Response is flushed during that INCLUDE dispatch call.

This results in security-related headers not being added to HTTP response.

Expected Behavior

The way of obtaining RequestDispatcher object should not be a factor when adding security-related headers to response.

Configuration

Tomcat 8.5.34
SiteMesh 2.4.2
Spring-based web application which uses JSPs and decorates them using SiteMesh.

Version

5.1.2

Sample

spring-security-gh6414.zip

Attached is a Zip file containing a simple Spring Boot application. Simply run the de.chschu.spring.security.gh6414.Application main class.

The response of http://localhost:8080/positive will have the headers, while http://localhost:8080/negative (which simply includes the other one) will not.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions