Notice
Recent Posts
Recent Comments
Link
일 | 월 | 화 | 수 | 목 | 금 | 토 |
---|---|---|---|---|---|---|
1 | 2 | |||||
3 | 4 | 5 | 6 | 7 | 8 | 9 |
10 | 11 | 12 | 13 | 14 | 15 | 16 |
17 | 18 | 19 | 20 | 21 | 22 | 23 |
24 | 25 | 26 | 27 | 28 | 29 | 30 |
Tags
- SPC
- Sqoop
- vaadin
- GIT
- NPM
- Kotlin
- 보조정렬
- Eclipse
- JavaScript
- table
- 공정능력
- xPlatform
- react
- Python
- IntelliJ
- SSL
- Android
- plugin
- Express
- R
- tomcat
- window
- Java
- hadoop
- SQL
- MSSQL
- mapreduce
- Spring
- es6
- mybatis
Archives
- Today
- Total
DBILITY
tomcat spring dispatchOptionsRequest 보안 감사 시 불필요한 HTTP Method 제거 본문
java/spring
tomcat spring dispatchOptionsRequest 보안 감사 시 불필요한 HTTP Method 제거
DBILITY 2020. 11. 25. 22:25반응형
기관 보안 감사 시 불필요한 HTTP Method 제외 관련하여
security-constraint를 추가해도 모두 허용되고 있다는 보고서를 받을 수 있다.
OPTIONS를 요청했을 때 다음과 같은 결과가 나온다.
C:\curl -I -X OPTIONS localhost:8080
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: private
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH
Content-Length: 0
Date: Wed, 25 Nov 2020 13:04:05 GMT
springmvc 사용 시 DispatcherServlet설정에 dispatchOptionsRequest을 추가해 줘야만 했다.
FrameworkServlet 소스를 확인해 봐야 한다.
다음은 web.xml 내용이다
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<filter>
<filter-name>encodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring/context-*.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:config/dispatcher-servlet.xml</param-value>
</init-param>
<init-param>
<param-name>dispatchOptionsRequest</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>dispatchTraceRequest</param-name>
<param-value>true</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted Methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>TRACE</http-method>
<http-method>OPTIONS</http-method>
<http-method>PATCH</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
</web-app>
TRACE의 경우 기본 false인데,
tomcat server.xml Connector에 allowTrace="true"로 옵션을 활성화해야 테스트 시 403으로 처리된다.
tomcat의 startup 로그에 다음과 같이 출력이 되었다.
SEVERE [RMI TCP Connection(3)-127.0.0.1] org.apache.tomcat.util.descriptor.web.SecurityConstraint.findUncoveredHttpMethods For security constraints with URL pattern [/*] only the HTTP methods [TRACE HEAD DELETE OPTIONS PUT PATCH] are covered. All other methods are uncovered.
반응형
'java > spring' 카테고리의 다른 글
spring 3.1.1 spring + mybatis + log4jdbc-remix 사용시 transaction 관련 (0) | 2021.11.22 |
---|---|
spring upload missingServletRequestPartException required request part is not present (0) | 2021.09.13 |
webjar 사용시 404 (0) | 2020.10.30 |
sqlite datasource연결, log4jdbc-remix 사용시 오류 (0) | 2020.03.13 |
도로명 주소 조회 팝업 사용시 encodingFilter (0) | 2020.03.06 |
Comments