0
# Request Validation and Firewall
1

2
Spring Security Web's firewall system provides HTTP request validation, sanitization, and attack prevention through configurable rules that protect against malicious requests.
3

4
## Core Firewall Components
5

6
```java { .api }
7
public interface HttpFirewall {
8
    FirewalledRequest getFirewalledRequest(HttpServletRequest request) throws RequestRejectedException;
9
    HttpServletResponse getFirewalledResponse(HttpServletResponse response);
10
}
11

12
public class StrictHttpFirewall implements HttpFirewall {
13
    public void setAllowUrlEncodedSlash(boolean allowUrlEncodedSlash);
14
    public void setAllowUrlEncodedPercent(boolean allowUrlEncodedPercent);
15
    public void setAllowSemicolon(boolean allowSemicolon);
16
    public void setUnsafeAllowAnyHttpMethod(boolean unsafeAllowAnyHttpMethod);
17
    public FirewalledRequest getFirewalledRequest(HttpServletRequest request);
18
    public HttpServletResponse getFirewalledResponse(HttpServletResponse response);
19
}
20

21
public interface RequestRejectedHandler {
22
    void handle(HttpServletRequest request, HttpServletResponse response, 
23
                RequestRejectedException requestRejectedException) throws IOException, ServletException;
24
}
25

26
public class HttpStatusRequestRejectedHandler implements RequestRejectedHandler {
27
    public HttpStatusRequestRejectedHandler(HttpStatus httpStatus);
28
    public void handle(HttpServletRequest request, HttpServletResponse response, 
29
                      RequestRejectedException requestRejectedException);
30
}
31
```
32

33
## Usage Examples
34

35
```java
36
// Configure strict firewall
37
StrictHttpFirewall firewall = new StrictHttpFirewall();
38
firewall.setAllowUrlEncodedSlash(false);
39
firewall.setAllowSemicolon(false);
40

41
FilterChainProxy proxy = new FilterChainProxy(chains);
42
proxy.setFirewall(firewall);
43
proxy.setRequestRejectedHandler(new HttpStatusRequestRejectedHandler(HttpStatus.BAD_REQUEST));
44
```