Springboot uses built in tomcat to disable insecure HTTP

Springboot built-in tomcat disables insecure HTTP methods

1. The following can be configured in web. xml of tomcat

Have tomcat disable insecure HTTP methods

<security-constraint>  
   <web-resource-collection>  
      <url-pattern>/*</url-pattern>  
      <http-method>PUT</http-method>  
   <http-method>DELETE</http-method>  
   <http-method>HEAD</http-method>  
   <http-method>OPTIONS</http-method>  
   <http-method>TRACE</http-method>  
   </web-resource-collection>  
   <auth-constraint>  
   </auth-constraint>  
</security-constraint>  
<login-config>  
  <auth-method>BASIC</auth-method>  
</login-config>

2. Spring boot uses built-in tomcat

There is no web. xml configuration file, but it can be configured as follows, which is simply to be injected into the Spring container

@Configuration
public class TomcatConfig { 
    @Bean
    public EmbeddedServletContainerFactory servletContainer() {
        TomcatEmbeddedServletContainerFactory tomcatServletContainerFactory = new TomcatEmbeddedServletContainerFactory();
        tomcatServletContainerFactory.addContextCustomizers(new TomcatContextCustomizer(){
 
   @Override
   public void customize(Context context) {
    SecurityConstraint constraint = new SecurityConstraint();
    SecurityCollection collection = new SecurityCollection();
    //http Method 
    collection.addMethod("PUT");
    collection.addMethod("DELETE");
    collection.addMethod("HEAD");
    collection.addMethod("OPTIONS");
    collection.addMethod("TRACE");
    //url Matching expression 
    collection.addPattern("/*");
    constraint.addCollection(collection);
    constraint.setAuthConstraint(true);
    context.addConstraint(constraint );
    
    // Set the use of httpOnly
    context.setUseHttpOnly(true);    
   }
        });
        return tomcatServletContainerFactory;
    } 
}

Enable insecure HTTP methods

Problem description:

Web pages, scripts, and files may be uploaded, modified, or deleted on the Web server.

'Enabled insecure HTTP methods: OPTIONS/system HTTP/1. 1Allow: HEAD, PUT, DELETE, TRACE, OPTIONS, PATCH

Use of the above method:

Options, Head, Trace: It is primarily the application that discovers and tracks server support and network behavior; Get: Retrieving documents; Put and Post: Submit the document to the server; Delete: Destroy resources or collections; Mkcol: Creating a collection PropFind and PropPatch: Retrieving and setting properties for resources and collections; Copy and Move: Manage collections and resources in a namespace context; Lock and Unlock: Overwrite Protection

Obviously, the above operation details can upload, modify and delete the web server, which poses a threat to the service. Although WebDAV has access control, but online search or a lot of attack methods, so if these methods are not needed, it is recommended to block them directly.

Solution:

Add the following to web. xml in web applications

<security-constraint>
        <web-resource-collection>
            <web-resource-name>disp</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>PUT</http-method>
            <http-method>DELETE</http-method>
            <http-method>HEAD</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
            <http-method>PATCH</http-method>
        </web-resource-collection>
        <auth-constraint></auth-constraint>
    </security-constraint>

Label introduction:

< security-constraint > Used to restrict access to resources; < auth-constraint > Used to restrict which roles can access resources, set to null here to prohibit all role users from accessing; < url-pattern > Specify the resources to be validated < http-method > Specify which methods require validation