tomcat spring dispatchOptionsRequest 보안 감사 시 불필요한 HTTP Method 제거

기관 보안 감사 시 불필요한 HTTP Method 제외 관련하여
security-constraint를 추가해도 모두 허용되고 있다는 보고서를 받을 수 있다.
OPTIONS를 요청했을 때 다음과 같은 결과가 나온다.

curl은 링크 참고

C:\curl -I -X OPTIONS localhost:8080
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: private
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH
Content-Length: 0
Date: Wed, 25 Nov 2020 13:04:05 GMT

springmvc 사용 시 DispatcherServlet설정에 dispatchOptionsRequest을 추가해 줘야만 했다.
FrameworkServlet 소스를 확인해 봐야 한다.

다음은 web.xml 내용이다

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
         version="3.1">
    
    <filter>
        <filter-name>encodingFilter</filter-name>
        <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
        <init-param>
            <param-name>encoding</param-name>
            <param-value>UTF-8</param-value>
        </init-param>
        <init-param>
            <param-name>forceEncoding</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>encodingFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>classpath:spring/context-*.xml</param-value>
    </context-param>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
    <servlet>
        <servlet-name>dispatcher</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>classpath:config/dispatcher-servlet.xml</param-value>
        </init-param>
        <init-param>
            <param-name>dispatchOptionsRequest</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>dispatchTraceRequest</param-name>
            <param-value>true</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>dispatcher</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>
    
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Restricted Methods</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>HEAD</http-method>
            <http-method>PUT</http-method>
            <http-method>DELETE</http-method>
            <http-method>TRACE</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>PATCH</http-method>
        </web-resource-collection>
        <auth-constraint />
    </security-constraint>
    
</web-app>

TRACE의 경우 기본 false인데,

tomcat server.xml Connector에 allowTrace="true"로 옵션을 활성화해야 테스트 시 403으로 처리된다.

tomcat의 startup 로그에 다음과 같이 출력이 되었다.

SEVERE [RMI TCP Connection(3)-127.0.0.1] org.apache.tomcat.util.descriptor.web.SecurityConstraint.findUncoveredHttpMethods For security constraints with URL pattern [/*] only the HTTP methods [TRACE HEAD DELETE OPTIONS PUT PATCH] are covered. All other methods are uncovered.