Let tomcat prohibit unsafe HTTP methods
<security-constraint> <web-resource-collection> <url-pattern>/*</url-pattern> <http-method>PUT</http-method> <http-method>DELETE</http-method> <http-method>HEAD</http-method> <http-method>OPTIONS</http-method> <http-method>TRACE</http-method> </web-resource-collection> <auth-constraint> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> </login-config>
There is no web.xml configuration file. You can configure it through the following configuration. Simply put, it is to be injected into the Spring container
@Configuration public class TomcatConfig { @Bean public EmbeddedServletContainerFactory servletContainer() { TomcatEmbeddedServletContainerFactory tomcatServletContainerFactory = new TomcatEmbeddedServletContainerFactory(); tomcatServletContainerFactory.addContextCustomizers(new TomcatContextCustomizer(){ @Override public void customize(Context context) { SecurityConstraint constraint = new SecurityConstraint(); SecurityCollection collection = new SecurityCollection(); //http方法 collection.addMethod("PUT"); collection.addMethod("DELETE"); collection.addMethod("HEAD"); collection.addMethod("OPTIONS"); collection.addMethod("TRACE"); //url匹配表达式 collection.addPattern("/*"); constraint.addCollection(collection); constraint.setAuthConstraint(true); context.addConstraint(constraint ); //设置使用httpOnly context.setUseHttpOnly(true); } }); return tomcatServletContainerFactory; } }
Web pages, scripts and files may be uploaded, modified or deleted on the web server.
"Insecure HTTP methods are enabled: OPTIONS /system HTTP/1.1Allow: HEAD, PUT, DELETE, TRACE, OPTIONS, PATCH
Use of the above method:
Options, Head, Trace: Mainly used by applications to discover and track server support and network behavior;
Get: Retrieve documents;
Put and Post: Submit the document to the server;
Delete: Destroy the resource or collection;
Mkcol: Create Collections
PropFind and PropPatch: Retrieve and set properties for resources and collections;
Copy and Move: Manage collections and collections in namespace contexts Resources;
Lock and Unlock: overwrite protection
It is obvious that the above operation details can upload, modify, delete, etc. to the web server. Threaten the service. Although WebDAV has permission control, a search on the Internet still shows a lot of attack methods, so if you don’t need these methods, it is recommended to block them directly.
Add the following content to web.xml in the web application
<security-constraint> <web-resource-collection> <web-resource-name>disp</web-resource-name> <url-pattern>/*</url-pattern> <http-method>PUT</http-method> <http-method>DELETE</http-method> <http-method>HEAD</http-method> <http-method>OPTIONS</http-method> <http-method>TRACE</http-method> <http-method>PATCH</http-method> </web-resource-collection> <auth-constraint></auth-constraint> </security-constraint>
The above is the detailed content of How does Springboot use built-in tomcat to ban unsafe HTTP. For more information, please follow other related articles on the PHP Chinese website!