Whitelist security constraint in web.xml
I'm using Tomcat for my Struts2 application. The web.xml
has certain entries as shown below:
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>no_access</web-resource-name>
<url-pattern>/jsp/*</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>no_access</web-resource-name>
<url-pattern>/myrrunner/*</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
How can I change above blacklisted parts to use only whitelisting part... For example, instead of blacklisting PUT
, DELTE
http methods, I need to whitelist other methods but I'm not sure the syntax of whitelisting them & what methods to whitelist them.
For my above web.xml
snippet, I'll appreciate if some one can provide me whitelisitng counter part for above xml
.
EDIT: Also, how would I really verify whether the solution works or not?
Thanks
I would try the following:
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<!-- no auth-constraint tag here -->
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
The first security-constraint
does not have any auth-constraint
, so the GET and POST methods are available to anyone without login. The second restricts other http methods for everybody. (I haven't tried it.)
New feature of Java EE 6 which simplifies security configuration of applications. You can now whitelist versus blacklist allowed HTTP methods in your web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Disable unneeded HTTP methods by 403 Forbidden them</web-resource-name>
<url-pattern>*</url-pattern>
<http-method-omission>GET</http-method-omission>
<http-method-omission>HEAD</http-method-omission>
<http-method-omission>POST</http-method-omission>
</web-resource-collection>
<auth-constraint />
</security-constraint>
Reference: https://docs.oracle.com/cd/E19798-01/821-1841/bncbk/index.html#6nmq2cpkb
A slight tweak to the accepted answer (set the url-pattern
in the second security-constraint
to map to the default servlet "/"
) works for JBoss and Weblogic but not for Websphere:
<security-constraint>
<web-resource-collection>
<web-resource-name>Allowed methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<!-- no auth-constraint tag here -->
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted methods</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint />
</security-constraint>
With the security constraints configuration above, I'm not sure why Websphere allows all HTTP methods, while JBoss and Weblogic only allows GET
and POST
.