Friday, 31 October 2014

ModSecurity Rule Execution Order and ctl:ruleRemoveById

In ModSecurity rules are executed in the order in which they are "physically" included into Apache's httpd.config file. First all the rules for phase 1, then all the rules for phase 2 and so on.

The documentation for ctl:ruleRemoveById states that "since this action is triggered at run time, it should be specified before the rule which it is disabling"

Before in this case means that the rule containing ctl:ruleRemoveById needs to run before the rule to be removed.

This means that if the rule to be removed  runs in phase 1 then the rule removing this rule needs to be "physically" included before the rule to be removed.

But if the rule to be removed runs in phase 2 then the rule removing this rule can be "physically" included after the rule to be removed as long as it runs in phase 1.



Posted by at No comments:

Wednesday, 1 October 2014

Spring MVC: Setting 'alwaysUseFullPath ' on 'RequestMappingHandlerMapping' when using 'mvc:annotation-driven'

It seems that the recommended way to set 'alwaysUseFullPath ' on 'RequestMappingHandlerMapping' when using <mvc:annotation-driven /> is to use a 'BeanPostProcessor':

 public class MyBeanPostProcessor implements BeanPostProcessor {  
   private static final Logger logger = LoggerFactory.getLogger(MyBeanPostProcessor.class);  

   @Override  
   public Object postProcessBeforeInitialization(Object bean, String beanName) throws BeansException {  
     if (bean instanceof RequestMappingHandlerMapping) {  
       setAlwaysUseFullPath((RequestMappingHandlerMapping) bean, beanName);  
     }  
     return bean;  
   }  

   private void setAlwaysUseFullPath(RequestMappingHandlerMapping requestMappingHandlerMapping, String beanName) {  
     logger.info("Setting 'AlwaysUseFullPath' on 'RequestMappingHandlerMapping'-bean to true. Bean name: {}", beanName);  
     requestMappingHandlerMapping.setAlwaysUseFullPath(true);  
   }  

   @Override  
   public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {  
     return bean;  
   }  
 }

See: http://docs.spring.io/spring/docs/4.0.7.RELEASE/spring-framework-reference/htmlsingle/#mvc-handlermapping
Posted by at No comments:
Subscribe to: Posts (Atom)