[jira] [Commented] (SHIRO-795) Disable session path rewriting by default

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[jira] [Commented] (SHIRO-795) Disable session path rewriting by default

Benjamin Marwell (Jira)

    [ https://issues.apache.org/jira/browse/SHIRO-795?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17220188#comment-17220188 ]

Mahendran Mookkiah commented on SHIRO-795:

Hi [~bdemers], 

It is clear. I felt the same and wonder how does it make more secure. Let me ask security experts from owasp/zapproxy. 

3rd point is something I should work towards understanding.

Thanks for your explanation.

> Disable session path rewriting by default
> -----------------------------------------
>                 Key: SHIRO-795
>                 URL: https://issues.apache.org/jira/browse/SHIRO-795
>             Project: Shiro
>          Issue Type: Improvement
>            Reporter: Brian Demers
>            Priority: Major
>             Fix For: 2.0.0, 1.7.0
> After the addition of the "Invalid Request Filter", URL session rewriting is disabled.
> {code:java}
> # Enable the configuraiton in the session manager
> sessionManager.sessionIdUrlRewritingEnabled = true
> # and the invalid request filter
> invalidRequest.blockSemicolon = false{code}

This message was sent by Atlassian Jira