How does Springboot use built-in tomcat to ban unsafe HTTP

Springboot's built-in tomcat prohibits unsafe HTTP methods

1. You can configure the following content in tomcat's web.xml

Let tomcat prohibit unsafe HTTP methods

<security-constraint>  
   <web-resource-collection>  
      <url-pattern>/*</url-pattern>  
      <http-method>PUT</http-method>  
   <http-method>DELETE</http-method>  
   <http-method>HEAD</http-method>  
   <http-method>OPTIONS</http-method>  
   <http-method>TRACE</http-method>  
   </web-resource-collection>  
   <auth-constraint>  
   </auth-constraint>  
</security-constraint>  
<login-config>  
  <auth-method>BASIC</auth-method>  
</login-config>

2. Spring boot uses the built-in tomcat

There is no web.xml configuration file. You can configure it through the following configuration. Simply put, it is to be injected into the Spring container

@Configuration
public class TomcatConfig { 
    @Bean
    public EmbeddedServletContainerFactory servletContainer() {
        TomcatEmbeddedServletContainerFactory tomcatServletContainerFactory = new TomcatEmbeddedServletContainerFactory();
        tomcatServletContainerFactory.addContextCustomizers(new TomcatContextCustomizer(){
 
   @Override
   public void customize(Context context) {
    SecurityConstraint constraint = new SecurityConstraint();
    SecurityCollection collection = new SecurityCollection();
    //http方法
    collection.addMethod("PUT");
    collection.addMethod("DELETE");
    collection.addMethod("HEAD");
    collection.addMethod("OPTIONS");
    collection.addMethod("TRACE");
    //url匹配表达式
    collection.addPattern("/*");
    constraint.addCollection(collection);
    constraint.setAuthConstraint(true);
    context.addConstraint(constraint );
    
    //设置使用httpOnly
    context.setUseHttpOnly(true);    
   }
        });
        return tomcatServletContainerFactory;
    } 
}

Enable unsafe HTTP methods

Problem Description:

Web pages, scripts and files may be uploaded, modified or deleted on the web server.

"Insecure HTTP methods are enabled: OPTIONS /system HTTP/1.1Allow: HEAD, PUT, DELETE, TRACE, OPTIONS, PATCH

Use of the above method:

• Options, Head, Trace: Mainly used by applications to discover and track server support and network behavior;

• Get: Retrieve documents;

• Put and Post: Submit the document to the server;

• Delete: Destroy the resource or collection;

• Mkcol: Create Collections

• PropFind and PropPatch: Retrieve and set properties for resources and collections;

• Copy and Move: Manage collections and collections in namespace contexts Resources;

• Lock and Unlock: overwrite protection

It is obvious that the above operation details can upload, modify, delete, etc. to the web server. Threaten the service. Although WebDAV has permission control, a search on the Internet still shows a lot of attack methods, so if you don’t need these methods, it is recommended to block them directly.

Solution:

Add the following content to web.xml in the web application

<security-constraint>
        <web-resource-collection>
            <web-resource-name>disp</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>PUT</http-method>
            <http-method>DELETE</http-method>
            <http-method>HEAD</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
            <http-method>PATCH</http-method>
        </web-resource-collection>
        <auth-constraint></auth-constraint>
    </security-constraint>

Tag introduction:

• ## is used to restrict access to resources;

• is used to limit those roles that can access resources. Setting it to empty here means that all role users are prohibited from accessing;

• < ;url-pattern>Specify the resources that need to be verified

• Specify those methods that need to be verified

The above is the detailed content of How does Springboot use built-in tomcat to ban unsafe HTTP. For more information, please follow other related articles on the PHP Chinese website!