Home  >  Article  >  Java  >  How does Springboot use built-in tomcat to ban unsafe HTTP

How does Springboot use built-in tomcat to ban unsafe HTTP

WBOY
WBOYforward
2023-05-12 11:49:052066browse

Springboot's built-in tomcat prohibits unsafe HTTP methods

1. You can configure the following content in tomcat's web.xml

Let tomcat prohibit unsafe HTTP methods

<security-constraint>  
   <web-resource-collection>  
      <url-pattern>/*</url-pattern>  
      <http-method>PUT</http-method>  
   <http-method>DELETE</http-method>  
   <http-method>HEAD</http-method>  
   <http-method>OPTIONS</http-method>  
   <http-method>TRACE</http-method>  
   </web-resource-collection>  
   <auth-constraint>  
   </auth-constraint>  
</security-constraint>  
<login-config>  
  <auth-method>BASIC</auth-method>  
</login-config>

2. Spring boot uses the built-in tomcat

There is no web.xml configuration file. You can configure it through the following configuration. Simply put, it is to be injected into the Spring container

@Configuration
public class TomcatConfig { 
    @Bean
    public EmbeddedServletContainerFactory servletContainer() {
        TomcatEmbeddedServletContainerFactory tomcatServletContainerFactory = new TomcatEmbeddedServletContainerFactory();
        tomcatServletContainerFactory.addContextCustomizers(new TomcatContextCustomizer(){
 
   @Override
   public void customize(Context context) {
    SecurityConstraint constraint = new SecurityConstraint();
    SecurityCollection collection = new SecurityCollection();
    //http方法
    collection.addMethod("PUT");
    collection.addMethod("DELETE");
    collection.addMethod("HEAD");
    collection.addMethod("OPTIONS");
    collection.addMethod("TRACE");
    //url匹配表达式
    collection.addPattern("/*");
    constraint.addCollection(collection);
    constraint.setAuthConstraint(true);
    context.addConstraint(constraint );
    
    //设置使用httpOnly
    context.setUseHttpOnly(true);    
   }
        });
        return tomcatServletContainerFactory;
    } 
}

Enable unsafe HTTP methods

Problem Description:

Web pages, scripts and files may be uploaded, modified or deleted on the web server.

"Insecure HTTP methods are enabled: OPTIONS /system HTTP/1.1Allow: HEAD, PUT, DELETE, TRACE, OPTIONS, PATCH

Use of the above method:

  • Options, Head, Trace: Mainly used by applications to discover and track server support and network behavior;

  • Get: Retrieve documents;

  • Put and Post: Submit the document to the server;

  • Delete: Destroy the resource or collection;

  • Mkcol: Create Collections

  • PropFind and PropPatch: Retrieve and set properties for resources and collections;

  • Copy and Move: Manage collections and collections in namespace contexts Resources;

  • Lock and Unlock: overwrite protection

It is obvious that the above operation details can upload, modify, delete, etc. to the web server. Threaten the service. Although WebDAV has permission control, a search on the Internet still shows a lot of attack methods, so if you don’t need these methods, it is recommended to block them directly.

Solution:

Add the following content to web.xml in the web application

<security-constraint>
        <web-resource-collection>
            <web-resource-name>disp</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>PUT</http-method>
            <http-method>DELETE</http-method>
            <http-method>HEAD</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
            <http-method>PATCH</http-method>
        </web-resource-collection>
        <auth-constraint></auth-constraint>
    </security-constraint>

Tag introduction:

  • ##84b6cf644bd9f54bb62a105bfe5ffc42 is used to restrict access to resources;

  • fc0069494b7e459eab1bf2c31c9d7aac is used to limit those roles that can access resources. Setting it to empty here means that all role users are prohibited from accessing;

  • < ;url-pattern>Specify the resources that need to be verified

  • b190c47e8c533223e36c741af28a3317Specify those methods that need to be verified

The above is the detailed content of How does Springboot use built-in tomcat to ban unsafe HTTP. For more information, please follow other related articles on the PHP Chinese website!

Statement:
This article is reproduced at:yisu.com. If there is any infringement, please contact admin@php.cn delete