You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Go to the application tab in the browser and add a cookie with special characters, such as ẞ , 我, ’, 😀
Refresh the page
Will see 400 the described bad request error in UI
Expected behavior
Support special characters in the cookie
Screenshots
Log file
Error Message from Spring
Message Cannot build ServiceRequest Cause : The request was rejected because the header value "XSRF-TOKEN=4e62422e-0856-4b71-9dd6-ac8c8c5ce378; JSESSIONID=419CAE53ADA85118DC471FA40C563195; serverTime=1721755840263; sessionExpiry=1721755840263; test=�" is not allowed. Error : org.springframework.security.web.firewall.RequestRejectedException
Desktop (please complete the following information):
Describe the bug
Special characters in the cookie causing 400 bad requests from Spring Security Http Fire wall
To Reproduce
Steps to reproduce the behavior locally:
http://localhost:8080/catalogue/srv/eng/catalog.search
Expected behavior
Support special characters in the cookie
Screenshots
Log file
Error Message from Spring
Message Cannot build ServiceRequest Cause : The request was rejected because the header value "XSRF-TOKEN=4e62422e-0856-4b71-9dd6-ac8c8c5ce378; JSESSIONID=419CAE53ADA85118DC471FA40C563195; serverTime=1721755840263; sessionExpiry=1721755840263; test=�" is not allowed. Error : org.springframework.security.web.firewall.RequestRejectedException
Desktop (please complete the following information):
Edge
4.2.9
Tomcat 9.0.87 with Java 8
Additional context
Likely caused by Spring mis-interpreted the cookie value as ISO-8859-1 (Latin1) instead of UTF-8. Which can be fixed by configuring the following:
https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html
The text was updated successfully, but these errors were encountered: