Disable invalidRequest.blockTraversal

Shiro's traversal filtering disallows escaped slashes, which are part of
RESTCONF spec. Disable traversal filtering by default.

JIRA: AAA-265
Change-Id: I17fce53bf9e8f34a81796fa476508f5dd5a5b7e1
Signed-off-by: Robert Varga <robert.varga@pantheon.tech>
(cherry picked from commit 3abb8fff9677c0f4c52302926eac89eeb87161dc)

diff --git a/aaa-shiro/impl/src/main/resources/initial/aaa-app-config.xml b/aaa-shiro/impl/src/main/resources/initial/aaa-app-config.xml
index 03cfaf355987e07bf98324be62f167e1ecd939c3..1fc146e223c119a260a08dfe2e5e6fbf6ae1f78e 100644 (file)
--- a/aaa-shiro/impl/src/main/resources/initial/aaa-app-config.xml
+++ b/aaa-shiro/impl/src/main/resources/initial/aaa-app-config.xml
@@ -280,6 +280,23 @@
         <pair-value>org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter</pair-value>
     </main>
 
+    <!--
+        Disable parts of invalidRequest filter, as these are blocking valid RESTCONF requests.
+
+        RESTCONF routinely transmits data in URLs. The encoding requires that all reserved URI
+        characters, as defined in https://www.rfc-editor.org/rfc/rfc3986#section-2.2, be
+        percent-encoded. See https://jira.opendaylight.org/browse/AAA-265.
+     -->
+    <main>
+        <!-- ';' is a RFC3986 reserved character -->
+        <pair-key>invalidRequest.blockSemicolon</pair-key>
+        <pair-value>false</pair-value>
+    </main>
+    <main>
+        <!-- '/' is a RFC3986 reserved character -->
+        <pair-key>invalidRequest.blockTraversal</pair-key>
+        <pair-value>false</pair-value>
+    </main>
 
     <!--
       ===================================================================================