spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard
verified publisher icon spring-projects

Add methods to augment allowed headers and parameters in StrictHttpFi…

Open baezzys opened this issue 1 year ago • 3 comments

Description

This pull request introduces new methods in the StrictHttpFirewall class that allow for the augmentation of the sets of allowable header names, header values, parameter names, and parameter values. The newly introduced methods (addAllowedHeaderNames, addAllowedHeaderValues, addAllowedParameterNames, and addAllowedParameterValues) ensure that users can add to the existing security settings without losing the benefits of the default protections.

This closes #13639

baezzys avatar May 12 '24 15:05 baezzys

Thank you for the review, @jzheaux. However, since the setters are not static, would it be acceptable to change them to public instead of public static?

baezzys avatar May 26 '24 03:05 baezzys

I think they should be static so that you don't need an instance of the firewall to refer to them.

jzheaux avatar May 31 '24 16:05 jzheaux

Thank you for the feedback, @jzheaux

I have updated the StrictHttpFirewall class to change the private Predicates for allowed header names, header values, parameter names, and parameter values to public static. Additionally, I have changed the corresponding setters.

Please review the changes and let me know if any further adjustments are needed.

baezzys avatar Jun 01 '24 03:06 baezzys

Hi @jzheaux, Sorry for the late response. I've made the changes based on your feedback. PTAL. Thanks!

baezzys avatar Jul 10 '24 16:07 baezzys

Thank you, @baezzys, for the PR! This is now merged into main.

jzheaux avatar Jul 19 '24 00:07 jzheaux