The request was rejected because the header value "TomažÄ" is not allowed.

[sysmat]

• spring-boot-starter-parent:2.4.0
• I have @Controller with path function with parm @RequestHeader Map<String, String> allHeaders
• Post request with some custom http header key sn: Tomažč but I got error
• error:

[org.springframework.security.web.firewall.StrictHttpFirewall$StrictFirewalledRequest.validateAllowedHeaderValue(StrictHttpFirewall.java:739),
 org.springframework.security.web.firewall.StrictHttpFirewall$StrictFirewalledRequest.getHeader(StrictHttpFirewall.java:628),
 javax.servlet.http.HttpServletRequestWrapper.getHeader(HttpServletRequestWrapper.java:88),
 javax.servlet.http.HttpServletRequestWrapper.getHeader(HttpServletRequestWrapper.java:88),
 org.springframework.web.context.request.ServletWebRequest.getHeader(ServletWebRequest.java:129),
 org.springframework.web.method.annotation.RequestHeaderMapMethodArgumentResolver.resolveArgument(RequestHeaderMapMethodArgumentResolver.java:83),
 org.springframework.web.method.support.HandlerMethodArgumentResolverComposite.resolveArgument(HandlerMethodArgumentResolverComposite.java:121),
 org.springframework.web.method.support.InvocableHandlerMethod.getMethodArgumentValues(InvocableHandlerMethod.java:170),
 org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:137),
 org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:106),
 org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:893),
 org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:807),
 org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87),
 org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1061),
 org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:961),
 org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006),
 org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898),
 javax.servlet.http.HttpServlet.service(HttpServlet.java:626),
 org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883),
 javax.servlet.http.HttpServlet.service(HttpServlet.java:733),
 org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231),
 org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166),
 org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53),
 org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193),
 org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166),
 org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:113),
 org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193),
 org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166),
 org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:327),
 org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115),
 org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:81),
 org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336),
 org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119),
 org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113),
 org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336),
 org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:126),
 org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:81),
 org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336),
 org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:105),
 org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336),
 org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:149),
 org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336),
 org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63),
 org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336),
 si.arnes.dmsedu.security.JwtAuthorizationTokenFilter.doFilterInternal(JwtAuthorizationTokenFilter.java:41),
 org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119),
 org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336),
 org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:103),
 org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:89),
 org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336),
 org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90),
 org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75),
 org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119),
 org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336),
 org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:110),
 org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80),
 org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336),
 org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:55),
 org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119),
 org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336),
 org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:211),
 org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:183),
 org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358),
 org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271),
 org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193),
 org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166),
 org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100),
 org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119),
 org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193),
 org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166),
 org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93),
 org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119),
 org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193),
 org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166),
 org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:93),
 org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119),
 org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193),
 org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166),
 org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201),
 org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119),
 org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193),
 org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166),
 org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202),
 org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97),
 org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542),
 org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143),
 org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92),
 org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78),
 org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343),
 org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374),
 org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65),
 org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868),
 org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590),
 org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49),
 java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149),
 java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624),
 org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61),
 java.lang.Thread.run(Thread.java:748)]

[bclozel]

HTTP headers usually only allow ASCII characters or strings encoded with MIME header encoding. Is that the case in your sample application?

If the header is properly encoded, could you please provide a sample project reproducing the issue (ideally something simple we can git clone and run to reproduce the problem)?

Thanks!

[sysmat]

• ok but why is char ž ok, is also non-ASCII and there is no error
• with spring-boot-starter-parent:2.3.6.RELEASE works like a charm, no problems with non-ASCII header values

[wilkinsona]

@sysmat A sample project will help us to figure that out.

[sysmat]

It's is from https://start.spring.io/

• maven

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.4.1</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>si.example</groupId>
    <artifactId>demo</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>demo</name>
    <description>Demo project for Spring Boot</description>

    <properties>
        <java.version>1.8</java.version>
    </properties>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-devtools</artifactId>
            <scope>runtime</scope>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>
</project>

• main

@SpringBootApplication
public class DemoApplication {

	public static void main(String[] args) {
		SpringApplication.run(DemoApplication.class, args);
	}
}

• controller

@RestController
public class RestApi {
        
    @GetMapping("/headers")
    public String headers(@RequestHeader Map<String, String> allHeaders) {
        allHeaders.forEach((key, value) -> System.out.println("key="+key+", value="+value));
        return "oj";
    }
    
}

• ResourcesExceptionHandler:

@ControllerAdvice
@RestController
public class ResourcesExceptionHandler {    

    @ResponseStatus(HttpStatus.INTERNAL_SERVER_ERROR)
    @ExceptionHandler(value = Exception.class)
    public void generalException(Exception e) {
        System.out.error("Exception="+ e.getMessage()+ "casue="+e.getCause()+"stack="+e.getStackTrace());        
    }
}

• client

curl http://localhost:8080/headers -H "name: tomažč"

[snicoll]

@sysmat thank you but if you have the project at hand, please share it so that we don't have to copy paste all that text in something that we can run.

[wilkinsona]

This is standard behaviour in Spring Security 5.4 to which Spring Boot 2.4 upgraded. This is mentioned in the Spring Security documentation which also provides some information about configuring the behaviour