Springboot uses built in tomcat to disable insecure HTTP
- 2021-10-25 06:35:33
- OfStack
Springboot built-in tomcat disables insecure HTTP methods
1. The following can be configured in web. xml of tomcat
Have tomcat disable insecure HTTP methods
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
2. Spring boot uses built-in tomcat
There is no web. xml configuration file, but it can be configured as follows, which is simply to be injected into the Spring container
@Configuration
public class TomcatConfig {
@Bean
public EmbeddedServletContainerFactory servletContainer() {
TomcatEmbeddedServletContainerFactory tomcatServletContainerFactory = new TomcatEmbeddedServletContainerFactory();
tomcatServletContainerFactory.addContextCustomizers(new TomcatContextCustomizer(){
@Override
public void customize(Context context) {
SecurityConstraint constraint = new SecurityConstraint();
SecurityCollection collection = new SecurityCollection();
//http Method
collection.addMethod("PUT");
collection.addMethod("DELETE");
collection.addMethod("HEAD");
collection.addMethod("OPTIONS");
collection.addMethod("TRACE");
//url Matching expression
collection.addPattern("/*");
constraint.addCollection(collection);
constraint.setAuthConstraint(true);
context.addConstraint(constraint );
// Set the use of httpOnly
context.setUseHttpOnly(true);
}
});
return tomcatServletContainerFactory;
}
}
Enable insecure HTTP methods
Problem description:
Web pages, scripts, and files may be uploaded, modified, or deleted on the Web server.
'Enabled insecure HTTP methods: OPTIONS/system HTTP/1. 1Allow: HEAD, PUT, DELETE, TRACE, OPTIONS, PATCH
Use of the above method:
Options, Head, Trace: It is primarily the application that discovers and tracks server support and network behavior; Get: Retrieving documents; Put and Post: Submit the document to the server; Delete: Destroy resources or collections; Mkcol: Creating a collection PropFind and PropPatch: Retrieving and setting properties for resources and collections; Copy and Move: Manage collections and resources in a namespace context; Lock and Unlock: Overwrite ProtectionObviously, the above operation details can upload, modify and delete the web server, which poses a threat to the service. Although WebDAV has access control, but online search or a lot of attack methods, so if these methods are not needed, it is recommended to block them directly.
Solution:
Add the following to web. xml in web applications
<security-constraint>
<web-resource-collection>
<web-resource-name>disp</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>PATCH</http-method>
</web-resource-collection>
<auth-constraint></auth-constraint>
</security-constraint>