This filter wraps the incoming request and outgoing response and overrides
many methods with safer versions. Many of the safer versions simply validate
parts of the request or response for unwanted characters before allowing the
call to complete. Some examples of attacks that use these
vectors include request splitting, response splitting, and file download
injection. Attackers use techniques like CRLF injection and null byte injection
to confuse the parsing of requests and responses.
Example Configuration #1 (Default Configuration allows /WEB-INF):
<filter>
<filter-name>SecurityWrapperDefault</filter-name>
<filter-class>org.owasp.filters.SecurityWrapper</filter-class>
</filter>
Example Configuration #2 (Allows /servlet)
<filter>
<filter-name>SecurityWrapperForServlet</filter-name>
<filter-class>org.owasp.filters.SecurityWrapper</filter-class>
<init-param>
<param-name>allowableResourceRoot</param-name>
<param-value>/servlet</param-value>
</init-param>
</filter>