Disable invalidRequest.blockTraversal

Shiro's traversal filtering disallows escaped slashes, which are part of
RESTCONF spec. Disable traversal filtering by default.

JIRA: AAA-265
Change-Id: I17fce53bf9e8f34a81796fa476508f5dd5a5b7e1
Signed-off-by: Robert Varga <robert.varga@pantheon.tech>

diff --git a/aaa-shiro/impl/src/main/resources/initial/aaa-app-config.xml b/aaa-shiro/impl/src/main/resources/initial/aaa-app-config.xml
index fe5806b1e3503bec7d175fea74683e88729d98ff..dfa0a48832c3e7befb2e394dec42ee406ecb60bc 100644 (file)
--- a/aaa-shiro/impl/src/main/resources/initial/aaa-app-config.xml
+++ b/aaa-shiro/impl/src/main/resources/initial/aaa-app-config.xml
@@ -275,6 +275,23 @@
         <pair-value>org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter</pair-value>
     </main>
 
+    <!--
+        Disable parts of invalidRequest filter, as these are blocking valid RESTCONF requests.
+
+        RESTCONF routinely transmits data in URLs. The encoding requires that all reserved URI
+        characters, as defined in https://www.rfc-editor.org/rfc/rfc3986#section-2.2, be
+        percent-encoded. See https://jira.opendaylight.org/browse/AAA-265.
+     -->
+    <main>
+        <!-- ';' is a RFC3986 reserved character -->
+        <pair-key>invalidRequest.blockSemicolon</pair-key>
+        <pair-value>false</pair-value>
+    </main>
+    <main>
+        <!-- '/' is a RFC3986 reserved character -->
+        <pair-key>invalidRequest.blockTraversal</pair-key>
+        <pair-value>false</pair-value>
+    </main>
 
     <!--
       ===================================================================================