Package org.apache.shiro.web.filter

Class InvalidRequestFilter

java.lang.Object
org.apache.shiro.web.servlet.ServletContextSupport
org.apache.shiro.web.servlet.AbstractFilter
org.apache.shiro.web.servlet.NameableFilter
org.apache.shiro.web.servlet.OncePerRequestFilter
org.apache.shiro.web.servlet.AdviceFilter
org.apache.shiro.web.filter.PathMatchingFilter
org.apache.shiro.web.filter.AccessControlFilter
org.apache.shiro.web.filter.InvalidRequestFilter
All Implemented Interfaces:
javax.servlet.Filter, org.apache.shiro.lang.util.Nameable, PathConfigProcessor
public class InvalidRequestFilter extends AccessControlFilter
A request filter that blocks malicious requests. Invalid request will respond with a 400 response code.

This filter checks and blocks the request if the following characters are found in the request URI:

  • Semicolon - can be disabled by setting blockSemicolon = false
  • Backslash - can be disabled by setting blockBackslash = false
  • Non-ASCII characters - can be disabled by setting blockNonAscii = false, the ability to disable this check will be removed in future version.
Since:
1.6
See Also:

  • Constructor Details

    • InvalidRequestFilter

      public InvalidRequestFilter()

  • Method Details

    • isAccessAllowed

      protected boolean isAccessAllowed(javax.servlet.ServletRequest req, javax.servlet.ServletResponse response, Object mappedValue) throws Exception
      Description copied from class: AccessControlFilter
      Returns true if the request is allowed to proceed through the filter normally, or false if the request should be handled by the onAccessDenied(request,response,mappedValue) method instead.
      Specified by:
      isAccessAllowed in class AccessControlFilter
      Parameters:
      req - the incoming ServletRequest
      response - the outgoing ServletResponse
      mappedValue - the filter-specific config value mapped to this filter in the URL rules mappings.
      Returns:
      true if the request should proceed through the filter normally, false if the request should be processed by this filter's AccessControlFilter.onAccessDenied(ServletRequest,ServletResponse,Object) method instead.
      Throws:
      Exception - if an error occurs during processing.

    • onAccessDenied

      protected boolean onAccessDenied(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response) throws Exception
      Description copied from class: AccessControlFilter
      Processes requests where the subject was denied access as determined by the isAccessAllowed method.
      Specified by:
      onAccessDenied in class AccessControlFilter
      Parameters:
      request - the incoming ServletRequest
      response - the outgoing ServletResponse
      Returns:
      true if the request should continue to be processed; false if the subclass will handle/render the response directly.
      Throws:
      Exception - if there is an error processing the request.

    • isBlockSemicolon

      public boolean isBlockSemicolon()

    • setBlockSemicolon

      public void setBlockSemicolon(boolean blockSemicolon)

    • isBlockBackslash

      public boolean isBlockBackslash()

    • setBlockBackslash

      public void setBlockBackslash(boolean blockBackslash)

    • isBlockNonAscii

      public boolean isBlockNonAscii()

    • setBlockNonAscii

      public void setBlockNonAscii(boolean blockNonAscii)