Whitelist security constraint in web.xml
Solution 1
I would try the following:
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<!-- no auth-constraint tag here -->
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
The first security-constraint
does not have any auth-constraint
, so the GET and POST methods are available to anyone without login. The second restricts other http methods for everybody. (I haven't tried it.)
Solution 2
New feature of Java EE 6 which simplifies security configuration of applications. You can now whitelist versus blacklist allowed HTTP methods in your web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Disable unneeded HTTP methods by 403 Forbidden them</web-resource-name>
<url-pattern>*</url-pattern>
<http-method-omission>GET</http-method-omission>
<http-method-omission>HEAD</http-method-omission>
<http-method-omission>POST</http-method-omission>
</web-resource-collection>
<auth-constraint />
</security-constraint>
Reference: https://docs.oracle.com/cd/E19798-01/821-1841/bncbk/index.html#6nmq2cpkb
Solution 3
A slight tweak to the accepted answer (set the url-pattern
in the second security-constraint
to map to the default servlet "/"
) works for JBoss and Weblogic but not for Websphere:
<security-constraint>
<web-resource-collection>
<web-resource-name>Allowed methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<!-- no auth-constraint tag here -->
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted methods</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint />
</security-constraint>
With the security constraints configuration above, I'm not sure why Websphere allows all HTTP methods, while JBoss and Weblogic only allows GET
and POST
.
Related videos on Youtube
Mike
Updated on May 08, 2020Comments
-
Mike almost 4 years
I'm using Tomcat for my Struts2 application. The
web.xml
has certain entries as shown below:<security-constraint> <web-resource-collection> <web-resource-name>restricted methods</web-resource-name> <url-pattern>/*</url-pattern> <http-method>PUT</http-method> <http-method>DELETE</http-method> <http-method>TRACE</http-method> </web-resource-collection> <auth-constraint /> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>no_access</web-resource-name> <url-pattern>/jsp/*</url-pattern> </web-resource-collection> <auth-constraint/> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>no_access</web-resource-name> <url-pattern>/myrrunner/*</url-pattern> </web-resource-collection> <auth-constraint/> </security-constraint>
How can I change above blacklisted parts to use only whitelisting part... For example, instead of blacklisting
PUT
,DELTE
http methods, I need to whitelist other methods but I'm not sure the syntax of whitelisting them & what methods to whitelist them.For my above
web.xml
snippet, I'll appreciate if some one can provide me whitelisitng counter part for abovexml
.EDIT: Also, how would I really verify whether the solution works or not?
Thanks
-
palacsint over 12 yearsIt looks little bit unambiguous for me. Could you post a list with the resources which should be available?
-
Mike over 12 yearsI need to whitelist all HTTP methods except PUT, DELETE & TRACE....How do we do it?
-
-
Mike over 12 yearsHi...I don't want any blacklisting....Is there any way to whitelist instead of restrictions?
-
palacsint over 12 yearsThe first
security-constraint
is the whitelist. The second just disallow everything which is not allowed with other (like the first)security-constraint
tags. -
Mike over 12 yearsWhat about /jsp/* & /myrunner/*...how will that be handled?
-
Vadzim over 11 yearsI would recommend to pay attention to security vulnerability with HEAD method CVE-2010-0738: fishnetsecurity.com/6labs/blog/…
-
Sun almost 11 yearsSorry for late reply. Does this security-constraint have a TomCat minimum version it works with? I get 404 errors after I apply this on TomCat 4.x.
-
palacsint almost 11 years@SunWKim: Tomcat 4.1 webpage says that it uses Servlet 2.3. Servlet 2.3 specification contains similar example, so I think it's supported by Tomcat 4.1.
-
Sun almost 11 yearsFor some reason, I can't get it to work... Maybe it's a tomcat bug. I'm told the workaround is to install apache httpd and use jk to direct jsp to tomcat.
-
Sun almost 11 yearsI found out I am specifically working with 4.0.6 and the above does not seem to work in 4.0.6.
-
mendozal about 8 yearsFound this article about enabling webspheres's general application security before the security constraints would take effect.
-
phi over 4 yearsDoes not work for me. When I use the proposed security constraints, then all requests including GET and POST are forbidden.