How does Springboot use built-in tomcat to ban unsafe HTTP
Springboot's built-in tomcat prohibits unsafe HTTP methods
1. You can configure the following content in tomcat's web.xml
Let tomcat prohibit unsafe HTTP methods
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>2. Spring boot uses the built-in tomcat
There is no web.xml configuration file. You can configure it through the following configuration. Simply put, it is to be injected into the Spring container
@Configuration
public class TomcatConfig {
@Bean
public EmbeddedServletContainerFactory servletContainer() {
TomcatEmbeddedServletContainerFactory tomcatServletContainerFactory = new TomcatEmbeddedServletContainerFactory();
tomcatServletContainerFactory.addContextCustomizers(new TomcatContextCustomizer(){
@Override
public void customize(Context context) {
SecurityConstraint constraint = new SecurityConstraint();
SecurityCollection collection = new SecurityCollection();
//http方法
collection.addMethod("PUT");
collection.addMethod("DELETE");
collection.addMethod("HEAD");
collection.addMethod("OPTIONS");
collection.addMethod("TRACE");
//url匹配表达式
collection.addPattern("/*");
constraint.addCollection(collection);
constraint.setAuthConstraint(true);
context.addConstraint(constraint );
//设置使用httpOnly
context.setUseHttpOnly(true);
}
});
return tomcatServletContainerFactory;
}
}Enable unsafe HTTP methods
Problem Description:
Web pages, scripts and files may be uploaded, modified or deleted on the web server.
"Insecure HTTP methods are enabled: OPTIONS /system HTTP/1.1Allow: HEAD, PUT, DELETE, TRACE, OPTIONS, PATCH
Use of the above method:
Options, Head, Trace: Mainly used by applications to discover and track server support and network behavior;
Get: Retrieve documents;
Put and Post: Submit the document to the server;
Delete: Destroy the resource or collection;
Mkcol: Create Collections
PropFind and PropPatch: Retrieve and set properties for resources and collections;
Copy and Move: Manage collections and collections in namespace contexts Resources;
Lock and Unlock: overwrite protection
It is obvious that the above operation details can upload, modify, delete, etc. to the web server. Threaten the service. Although WebDAV has permission control, a search on the Internet still shows a lot of attack methods, so if you don’t need these methods, it is recommended to block them directly.
Solution:
Add the following content to web.xml in the web application
<security-constraint>
<web-resource-collection>
<web-resource-name>disp</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>PATCH</http-method>
</web-resource-collection>
<auth-constraint></auth-constraint>
</security-constraint>Tag introduction:
- ##
is used to restrict access to resources; is used to limit those roles that can access resources. Setting it to empty here means that all role users are prohibited from accessing; - < ;url-pattern>Specify the resources that need to be verified
Specify those methods that need to be verified
The above is the detailed content of How does Springboot use built-in tomcat to ban unsafe HTTP. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
How to deploy jar project in tomcat
Apr 21, 2024 am 07:27 AM
To deploy a JAR project to Tomcat, follow these steps: Download and unzip Tomcat. Configure the server.xml file, set the port and project deployment path. Copies the JAR file to the specified deployment path. Start Tomcat. Access the deployed project using the provided URL.
How to allow external network access to tomcat server
Apr 21, 2024 am 07:22 AM
To allow the Tomcat server to access the external network, you need to: modify the Tomcat configuration file to allow external connections. Add a firewall rule to allow access to the Tomcat server port. Create a DNS record pointing the domain name to the Tomcat server public IP. Optional: Use a reverse proxy to improve security and performance. Optional: Set up HTTPS for increased security.
How to deploy multiple projects in tomcat
Apr 21, 2024 am 09:33 AM
To deploy multiple projects through Tomcat, you need to create a webapp directory for each project and then: Automatic deployment: Place the webapp directory in Tomcat's webapps directory. Manual deployment: Manually deploy the project in Tomcat's manager application. Once the project is deployed, it can be accessed by its deployment name, for example: http://localhost:8080/project1.
Where is the tomcat installation directory?
Apr 21, 2024 am 07:48 AM
Tomcat installation directory: Default path: Windows: C:\Program Files\Apache Software Foundation\Tomcat 9.0macOS:/Library/Tomcat/Tomcat 9.0Linux:/opt/tomcat/tomcat9 Custom path: You can specify it during installation. Find the installation directory: use whereis or locate command.
Where is the root directory of the tomcat website?
Apr 21, 2024 am 09:27 AM
The Tomcat website root directory is located in Tomcat's webapps subdirectory and is used to store web application files, static resources, and the WEB-INF directory; it can be found by looking for the docBase attribute in the Tomcat configuration file.
How to check the number of concurrent connections in tomcat
Apr 21, 2024 am 08:12 AM
How to check the number of concurrent Tomcat connections: Visit the Tomcat Manager page (http://localhost:8080/manager/html) and enter your user name and password. Click Status->Sessions in the left navigation bar to see the number of concurrent connections at the top of the page.
How to check the port number of tomcat
Apr 21, 2024 am 08:00 AM
The Tomcat port number can be viewed by checking the port attribute of the <Connector> element in the server.xml file. Visit the Tomcat management interface (http://localhost:8080/manager/html) and view the "Status" tab. Run "catalina.sh version" from the command line and look at the "Port:" line.
How to run two projects with different port numbers in tomcat
Apr 21, 2024 am 09:00 AM
Running projects with different port numbers on the Tomcat server requires the following steps: Modify the server.xml file and add a Connector element to define the port number. Add a Context element to define the application associated with the port number. Create a WAR file and deploy it to the corresponding directory (webapps or webapps/ROOT). Restart Tomcat to apply changes.
