Shulou(Shulou.com)06/01 Report--

This article Xiaobian for you to introduce in detail "Springboot how to use built-in tomcat to prohibit unsafe HTTP", the content is detailed, the steps are clear, and the details are handled properly. I hope this "Springboot how to use built-in tomcat to prohibit unsafe HTTP" article can help you solve your doubts.

Springboot built-in tomcat prohibits unsafe HTTP methods 1. The following can be configured in the web.xml of tomcat

Let tomcat prohibit unsafe HTTP methods

/ * PUT DELETE HEAD OPTIONS TRACE BASIC 2, Spring boot use built-in tomcat

Without a web.xml configuration file, you can do this through the following configuration, which is simply to inject it into the Spring container

@ Configurationpublic class TomcatConfig {@ Bean public EmbeddedServletContainerFactory servletContainer () {TomcatEmbeddedServletContainerFactory tomcatServletContainerFactory = new TomcatEmbeddedServletContainerFactory (); tomcatServletContainerFactory.addContextCustomizers (new TomcatContextCustomizer () {@ Override public void customize (Context context) {SecurityConstraint constraint = new SecurityConstraint (); SecurityCollection collection = new SecurityCollection (); / / http method collection.addMethod ("PUT"); collection.addMethod ("DELETE"); collection.addMethod ("HEAD"); collection.addMethod ("OPTIONS") Collection.addMethod ("TRACE"); / / url matching expression collection.addPattern ("/ *"); constraint.addCollection (collection); constraint.setAuthConstraint (true); context.addConstraint (constraint); / / set to use httpOnly context.setUseHttpOnly (true);}}); return tomcatServletContainerFactory;}} enable unsafe HTTP method problem description:

Web pages, scripts, and files may be uploaded, modified, or deleted on the Web server.

"unsafe HTTP methods enabled: OPTIONS / system HTTP/1.1Allow: HEAD, PUT, DELETE, TRACE, OPTIONS, PATCH

The purpose of the above method:

Options, Head, Trace: applications primarily discover and track server support and network behavior

Get: retrieving documents

Put and Post: submit documents to the server

Delete: destroy a resource or collection

Mkcol: creating a collection

PropFind and PropPatch: retrieving and setting properties for resources and collections

Copy and Move: managing collections and resources in the context of namespaces

Lock and Unlock: overwrite protection

Obviously, the above operation details can upload, modify, delete and other operations on the web server, posing a threat to the service. Although WebDAV has access control, a search on the Internet is still a lot of attack methods, so if these methods are not needed, it is recommended to block them directly.

Solution:

Add the following to the web.xml in the web application

Disp / * PUT DELETE HEAD OPTIONS TRACE PATCH tag introduction:

Used to restrict access to resources

It is used to restrict which roles can access resources. If it is set to empty here, users of all roles are prohibited from accessing it.

Specify the resources to be validated

Specify which methods require validation

After reading this, the article "how Springboot uses built-in tomcat to prohibit unsafe HTTP" has been introduced. If you want to master the knowledge of this article, you still need to practice and use it yourself to understand it. If you want to know more about related articles, welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.