27

I'm using Tomcat for my Struts2 application. The web.xml has certain entries as shown below:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>restricted methods</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>PUT</http-method>
        <http-method>DELETE</http-method>
        <http-method>TRACE</http-method>
    </web-resource-collection>
    <auth-constraint />
</security-constraint>
<security-constraint>
   <web-resource-collection>
       <web-resource-name>no_access</web-resource-name>
       <url-pattern>/jsp/*</url-pattern>
   </web-resource-collection>
   <auth-constraint/>
</security-constraint>
    <security-constraint>
   <web-resource-collection>
       <web-resource-name>no_access</web-resource-name>
       <url-pattern>/myrrunner/*</url-pattern>
   </web-resource-collection>
   <auth-constraint/>
</security-constraint>

How can I change above blacklisted parts to use only whitelisting part... For example, instead of blacklisting PUT, DELTE http methods, I need to whitelist other methods but I'm not sure the syntax of whitelisting them & what methods to whitelist them.

For my above web.xml snippet, I'll appreciate if some one can provide me whitelisitng counter part for above xml.

EDIT: Also, how would I really verify whether the solution works or not?

Thanks

kenorb
  • 155,785
  • 88
  • 678
  • 743
Mike
  • 7,606
  • 25
  • 65
  • 82

3 Answers3

25

I would try the following:

<security-constraint>
    <web-resource-collection>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <!-- no auth-constraint tag here -->
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>restricted methods</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
   <auth-constraint/>
</security-constraint>

The first security-constraint does not have any auth-constraint, so the GET and POST methods are available to anyone without login. The second restricts other http methods for everybody. (I haven't tried it.)

Tiny
  • 27,221
  • 105
  • 339
  • 599
palacsint
  • 28,416
  • 10
  • 82
  • 109
  • Hi...I don't want any blacklisting....Is there any way to whitelist instead of restrictions? – Mike Nov 09 '11 at 21:02
  • 1
    The first `security-constraint` is the whitelist. The second just disallow everything which is not allowed with other (like the first) `security-constraint` tags. – palacsint Nov 09 '11 at 21:06
  • What about /jsp/* & /myrunner/*...how will that be handled? – Mike Nov 09 '11 at 21:11
  • I would recommend to pay attention to security vulnerability with HEAD method CVE-2010-0738: http://www.fishnetsecurity.com/6labs/blog/jboss-jmx-console-authentication-bypass – Vadzim Jan 16 '13 at 06:09
  • Sorry for late reply. Does this security-constraint have a TomCat minimum version it works with? I get 404 errors after I apply this on TomCat 4.x. – Sun Jul 04 '13 at 00:30
  • @SunWKim: [Tomcat 4.1 webpage](http://tomcat.apache.org/tomcat-4.1-doc/index.html) says that it uses Servlet 2.3. [Servlet 2.3](http://download.oracle.com/otndocs/jcp/7840-servlet-2.3-spec-oth-JSpec/) specification contains similar example, so I think it's supported by Tomcat 4.1. – palacsint Jul 05 '13 at 09:12
  • For some reason, I can't get it to work... Maybe it's a tomcat bug. I'm told the workaround is to install apache httpd and use jk to direct jsp to tomcat. – Sun Jul 06 '13 at 03:34
  • I found out I am specifically working with 4.0.6 and the above does not seem to work in 4.0.6. – Sun Jul 08 '13 at 22:30
  • Does not work for me. When I use the proposed security constraints, then all requests including GET and POST are forbidden. – phi Nov 21 '19 at 14:20
17

New feature of Java EE 6 which simplifies security configuration of applications. You can now whitelist versus blacklist allowed HTTP methods in your web.xml:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Disable unneeded HTTP methods by 403 Forbidden them</web-resource-name>
        <url-pattern>*</url-pattern>
        <http-method-omission>GET</http-method-omission>
        <http-method-omission>HEAD</http-method-omission>
        <http-method-omission>POST</http-method-omission>
    </web-resource-collection>
    <auth-constraint />
</security-constraint>

Reference: https://docs.oracle.com/cd/E19798-01/821-1841/bncbk/index.html#6nmq2cpkb

DaveyDaveDave
  • 9,821
  • 11
  • 64
  • 77
aviundefined
  • 802
  • 2
  • 10
  • 25
3

A slight tweak to the accepted answer (set the url-pattern in the second security-constraint to map to the default servlet "/") works for JBoss and Weblogic but not for Websphere:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Allowed methods</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <!-- no auth-constraint tag here -->
</security-constraint>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>Restricted methods</web-resource-name>
        <url-pattern>/</url-pattern>
    </web-resource-collection>
    <auth-constraint />
</security-constraint>

With the security constraints configuration above, I'm not sure why Websphere allows all HTTP methods, while JBoss and Weblogic only allows GET and POST.

mendozal
  • 31
  • 1
  • Found this article about [enabling webspheres's general application security](http://stackoverflow.com/questions/5067917/websphere-security-constraint-in-web-xml-doesnt-work) before the security constraints would take effect. – mendozal Apr 20 '16 at 08:38