How does Springboot use built-in tomcat to ban unsafe HTTP
- WBOYforward
- 2023-05-12 11:49:052066browse
Springboot's built-in tomcat prohibits unsafe HTTP methods
1. You can configure the following content in tomcat's web.xml
Let tomcat prohibit unsafe HTTP methods
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>2. Spring boot uses the built-in tomcat
There is no web.xml configuration file. You can configure it through the following configuration. Simply put, it is to be injected into the Spring container
@Configuration
public class TomcatConfig {
@Bean
public EmbeddedServletContainerFactory servletContainer() {
TomcatEmbeddedServletContainerFactory tomcatServletContainerFactory = new TomcatEmbeddedServletContainerFactory();
tomcatServletContainerFactory.addContextCustomizers(new TomcatContextCustomizer(){
@Override
public void customize(Context context) {
SecurityConstraint constraint = new SecurityConstraint();
SecurityCollection collection = new SecurityCollection();
//http方法
collection.addMethod("PUT");
collection.addMethod("DELETE");
collection.addMethod("HEAD");
collection.addMethod("OPTIONS");
collection.addMethod("TRACE");
//url匹配表达式
collection.addPattern("/*");
constraint.addCollection(collection);
constraint.setAuthConstraint(true);
context.addConstraint(constraint );
//设置使用httpOnly
context.setUseHttpOnly(true);
}
});
return tomcatServletContainerFactory;
}
}Enable unsafe HTTP methods
Problem Description:
Web pages, scripts and files may be uploaded, modified or deleted on the web server.
"Insecure HTTP methods are enabled: OPTIONS /system HTTP/1.1Allow: HEAD, PUT, DELETE, TRACE, OPTIONS, PATCH
Use of the above method:
Options, Head, Trace: Mainly used by applications to discover and track server support and network behavior;
Get: Retrieve documents;
Put and Post: Submit the document to the server;
Delete: Destroy the resource or collection;
Mkcol: Create Collections
PropFind and PropPatch: Retrieve and set properties for resources and collections;
Copy and Move: Manage collections and collections in namespace contexts Resources;
Lock and Unlock: overwrite protection
It is obvious that the above operation details can upload, modify, delete, etc. to the web server. Threaten the service. Although WebDAV has permission control, a search on the Internet still shows a lot of attack methods, so if you don’t need these methods, it is recommended to block them directly.
Solution:
Add the following content to web.xml in the web application
<security-constraint>
<web-resource-collection>
<web-resource-name>disp</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>PATCH</http-method>
</web-resource-collection>
<auth-constraint></auth-constraint>
</security-constraint>Tag introduction:
- ##84b6cf644bd9f54bb62a105bfe5ffc42 is used to restrict access to resources;
- fc0069494b7e459eab1bf2c31c9d7aac is used to limit those roles that can access resources. Setting it to empty here means that all role users are prohibited from accessing;
- < ;url-pattern>Specify the resources that need to be verified
- b190c47e8c533223e36c741af28a3317Specify those methods that need to be verified
The above is the detailed content of How does Springboot use built-in tomcat to ban unsafe HTTP. For more information, please follow other related articles on the PHP Chinese website!