发表新帖
发表新帖

Whitelist security constraint in web.xml

后端 未结
关注
3 1098
梦谈多话
梦谈多话 2020-11-29 06:56

I\'m using Tomcat for my Struts2 application. The web.xml has certain entries as shown below:
相关标签:
3条回答
  • 春和景丽
    2020-11-29 07:02

    A slight tweak to the accepted answer (set the url-pattern in the second security-constraint to map to the default servlet "/") works for JBoss and Weblogic but not for Websphere:

    <security-constraint>
    <web-resource-collection>
        <web-resource-name>Allowed methods</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <!-- no auth-constraint tag here -->
</security-constraint>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>Restricted methods</web-resource-name>
        <url-pattern>/</url-pattern>
    </web-resource-collection>
    <auth-constraint />
</security-constraint>

    With the security constraints configuration above, I'm not sure why Websphere allows all HTTP methods, while JBoss and Weblogic only allows GET and POST.

    0 讨论(0)
  • 不要未来只要你来
    2020-11-29 07:21

    New feature of Java EE 6 which simplifies security configuration of applications. You can now whitelist versus blacklist allowed HTTP methods in your web.xml:

    <security-constraint>
    <web-resource-collection>
        <web-resource-name>Disable unneeded HTTP methods by 403 Forbidden them</web-resource-name>
        <url-pattern>*</url-pattern>
        <http-method-omission>GET</http-method-omission>
        <http-method-omission>HEAD</http-method-omission>
        <http-method-omission>POST</http-method-omission>
    </web-resource-collection>
    <auth-constraint />
</security-constraint>

    Reference: https://docs.oracle.com/cd/E19798-01/821-1841/bncbk/index.html#6nmq2cpkb

    0 讨论(0)
  • 醉酒成梦
    2020-11-29 07:24

    I would try the following:

    <security-constraint>
    <web-resource-collection>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <!-- no auth-constraint tag here -->
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>restricted methods</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
   <auth-constraint/>
</security-constraint>

    The first security-constraint does not have any auth-constraint, so the GET and POST methods are available to anyone without login. The second restricts other http methods for everybody. (I haven't tried it.)

    0 讨论(0)
 看不清?
提交回复
热议问题