Skip to Content
0
May 15, 2018 at 07:20 PM

Backoffice Spring MVC matrix variables lead to exception due to the new StrictHttpFirewall in Spring Security 4.2.4

345 Views

Since Hybris 6.6.0.3 we encounter troubles with the backoffice application. When opening the backoffice at "https://localhost:9002/backoffice" Spring security sends a redirect to "https://localhost:9002/backoffice/login.zul". If cookies where not detected the session id is appended using Spring MVC matrix variables, e.g.: "https://localhost:9002/backoffice/login.zul;jsessionid=CE6AC0708F276131587063F703587B3A".

Since Spring Security/MVC 4.2.4, the use of matrix variables is prohibited by default, see: https://docs.spring.io/spring-security/site/docs/4.2.4.RELEASE/apidocs/org/springframework/security/web/firewall/StrictHttpFirewall.html

Therefore, any URL that uses the matrix variables does not work with the backoffice application anymore.

We strongly need a fix that replaces the StrictHttpFirewall with the DefaultHttpFirewall implementation that was used before, as one of our customers does not allow cookies and, therefore, is not able to use the backoffice anymore.

Is SAP working on a fix for that?

Thx, Bechte