Whitelist security constraint in web.xml

java tomcat struts2 web.xml security-constraint

43,593

Solution 1

I would try the following:

<security-constraint>
    <web-resource-collection>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <!-- no auth-constraint tag here -->
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>restricted methods</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
   <auth-constraint/>
</security-constraint>

The first security-constraint does not have any auth-constraint, so the GET and POST methods are available to anyone without login. The second restricts other http methods for everybody. (I haven't tried it.)

Solution 2

New feature of Java EE 6 which simplifies security configuration of applications. You can now whitelist versus blacklist allowed HTTP methods in your web.xml:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Disable unneeded HTTP methods by 403 Forbidden them</web-resource-name>
        <url-pattern>*</url-pattern>
        <http-method-omission>GET</http-method-omission>
        <http-method-omission>HEAD</http-method-omission>
        <http-method-omission>POST</http-method-omission>
    </web-resource-collection>
    <auth-constraint />
</security-constraint>

Reference: https://docs.oracle.com/cd/E19798-01/821-1841/bncbk/index.html#6nmq2cpkb

Solution 3

A slight tweak to the accepted answer (set the url-pattern in the second security-constraint to map to the default servlet "/") works for JBoss and Weblogic but not for Websphere:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Allowed methods</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <!-- no auth-constraint tag here -->
</security-constraint>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>Restricted methods</web-resource-name>
        <url-pattern>/</url-pattern>
    </web-resource-collection>
    <auth-constraint />
</security-constraint>

With the security constraints configuration above, I'm not sure why Websphere allows all HTTP methods, while JBoss and Weblogic only allows GET and POST.

43,593

Mike

Updated on May 08, 2020

Comments

Mike almost 4 years

I'm using Tomcat for my Struts2 application. The web.xml has certain entries as shown below:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>restricted methods</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>PUT</http-method>
        <http-method>DELETE</http-method>
        <http-method>TRACE</http-method>
    </web-resource-collection>
    <auth-constraint />
</security-constraint>
<security-constraint>
   <web-resource-collection>
       <web-resource-name>no_access</web-resource-name>
       <url-pattern>/jsp/*</url-pattern>
   </web-resource-collection>
   <auth-constraint/>
</security-constraint>
    <security-constraint>
   <web-resource-collection>
       <web-resource-name>no_access</web-resource-name>
       <url-pattern>/myrrunner/*</url-pattern>
   </web-resource-collection>
   <auth-constraint/>
</security-constraint>

How can I change above blacklisted parts to use only whitelisting part... For example, instead of blacklisting PUT, DELTE http methods, I need to whitelist other methods but I'm not sure the syntax of whitelisting them & what methods to whitelist them.

For my above web.xml snippet, I'll appreciate if some one can provide me whitelisitng counter part for above xml.

EDIT: Also, how would I really verify whether the solution works or not?

Thanks

palacsint over 12 years

It looks little bit unambiguous for me. Could you post a list with the resources which should be available?
Mike over 12 years

I need to whitelist all HTTP methods except PUT, DELETE & TRACE....How do we do it?

Mike over 12 years

Hi...I don't want any blacklisting....Is there any way to whitelist instead of restrictions?
palacsint over 12 years

The first security-constraint is the whitelist. The second just disallow everything which is not allowed with other (like the first) security-constraint tags.
Mike over 12 years

What about /jsp/* & /myrunner/*...how will that be handled?
Vadzim over 11 years

I would recommend to pay attention to security vulnerability with HEAD method CVE-2010-0738: fishnetsecurity.com/6labs/blog/…
Sun almost 11 years

Sorry for late reply. Does this security-constraint have a TomCat minimum version it works with? I get 404 errors after I apply this on TomCat 4.x.
palacsint almost 11 years

@SunWKim: Tomcat 4.1 webpage says that it uses Servlet 2.3. Servlet 2.3 specification contains similar example, so I think it's supported by Tomcat 4.1.
Sun almost 11 years

For some reason, I can't get it to work... Maybe it's a tomcat bug. I'm told the workaround is to install apache httpd and use jk to direct jsp to tomcat.
Sun almost 11 years

I found out I am specifically working with 4.0.6 and the above does not seem to work in 4.0.6.
mendozal about 8 years

Found this article about enabling webspheres's general application security before the security constraints would take effect.
phi over 4 years

Does not work for me. When I use the proposed security constraints, then all requests including GET and POST are forbidden.