Background of the problem
When a user accesses a specific connection (e.g.
http://localhost/index) without permissions, they are redirected to the login page
In order to redirect to the target access page
http://localhost/index after a successful login, Spring Security stores a message in the cookie, marked as a jsessionid.
When redirected the Servlet container, i.e. tomcat or something like that will add the jsessionid to the back of the redirected url. Something like this:
This request will be intercepted by Spring Security’s
StrictHttpFirewall and throw an exception:
The request was rejected because the URL contained a potentially malicious String ";".
OWASP states that exposing
jsessionid in a URL is a very dangerous move that can lead to session fixation attacks, so the above behavior is not recommended.
There are currently two solutions.
Allow url to carry jsessionid
If browser cookies are disabled or your application can tolerate the above security vulnerability, then you can take this approach in Spring Security.
Modifying the session mechanism of the servlet container
Configure Tomcat’s trace mode in Spring Boot.