Introduction
In the Apache web server, if you want to disable access to specific methods, you can take advantage of mod_rewrite and disable just about anything, often with only one or two lines of configuration file entries. In Apache Tomcat, security is enforced by way of security constraints that are built into the Java Servlet specification. These are not contained within the main server.xml file within tomcat but within the web.xml configuration file.
The Java Servlet specification contains a fairly complete collection of security-related configuration parameters that allows you to do, among other things, disable HTTP methods, enable SSL on specific URIs, and allow access to specific resources based upon user role. Security constraints are the way to protect web content within Java-based applications. One common item that crops up in security related scans are HTTP methods allowed on a web site or within a web application. For those of us running our web sites using Apache Tomcat and not a front-end web server like Apache or IIS, having a good understanding of how security constraints work will be vital. This particular HOWTO will examine the steps necessary to disable access to specific HTTP methods.
A security constraint utilizes an xml syntax, just like other configuration directives in web.xml. Values in the examples are bolded to provide better readability. Example 1 is a basic web site, which serves up nothing but JSPs, images, scripts, and styles and does not contain any forms for a user to fill out. Network Security wants all HTTP methods disabled with the exception of HTTP HEAD and GET requests.
Example 1 - Basic Web Site - No Forms
01 |
// Sample Security Constraint |
03 |
< web-resource-collection > |
04 |
< web-resource-name >< strong >restricted methods</ strong ></ web-resource-name > |
05 |
< url-pattern >< strong >/*</ strong ></ url-pattern > |
06 |
< http-method >< strong >PUT</ strong ></ http-method > |
07 |
< http-method >< strong >POST</ strong ></ http-method > |
08 |
< http-method >< strong >DELETE</ strong ></ http-method > |
09 |
< http-method >< strong >OPTIONS</ strong ></ http-method > |
10 |
< http-method >< strong >TRACE</ strong ></ http-method > |
11 |
</ web-resource-collection > |
13 |
</ security-constraint > |
All constraints start out with a <security-contraint>
deployment descriptor. The <web-resource-collection>
comprises a set of URIs and HTTP Methods that are allowable within that set of URIs. In the example above, a <url-pattern>
of /*
(meaning everything under the root of the web site has been constrained to only allow access to GET
andHEAD
only. Setting an authorization constraint to <auth-constraint />
, sets an All Users policy so this example literally means: "For any user, deny access to PUT, POST, DELETE, OPTIONS, and TRACE methods". In a stock Tomcat installation, if I were to send an HTTP OPTIONS request, for example, to the web site, it would work. In my newly constrained configuration, OPTIONS requests now fail with an HTTP Status code of 403 - Forbidden.
The second example below takes our basic web site example a step further where a "Contact Us" form has been made available. The site user would fill out a form located under /contact and data would be passed using HTTP POST.
Example 2 - Basic Web Site with Contact Form
01 |
// Sample Security Constraint |
03 |
< web-resource-collection > |
04 |
< web-resource-name >< strong >restricted methods</ strong ></ web-resource-name > |
05 |
< url-pattern >< strong >/*</ strong ></ url-pattern > |
06 |
< http-method >< strong >PUT</ strong ></ http-method > |
07 |
< http-method >< strong >POST</ strong ></ http-method > |
08 |
< http-method >< strong >DELETE</ strong ></ http-method > |
09 |
< http-method >< strong >OPTIONS</ strong ></ http-method > |
10 |
< http-method >< strong >TRACE</ strong ></ http-method > |
11 |
</ web-resource-collection > |
13 |
</ security-constraint > |
16 |
< web-resource-collection > |
17 |
< web-resource-name >< strong >Contact Form</ strong ></ web-resource-name > |
18 |
< url-pattern >< strong >/contact/*</ strong ></ url-pattern > |
19 |
< http-method >< strong >PUT</ strong ></ http-method > |
20 |
< http-method >< strong >DELETE</ strong ></ http-method > |
21 |
< http-method >< strong >OPTIONS</ strong ></ http-method > |
22 |
< http-method >< strong >TRACE</ strong ></ http-method > |
23 |
</ web-resource-collection > |
25 |
</ security-constraint > |
The constraints here mimic the constraints from the previous example but a secondary set of constraints are applied if the URI pattern matches /contact/*
. In this case, the allowable methods are GET, HEAD, and POST.
Conclusion
Security Constraints, although not as complete as those one might find in the Apache Web Server, are a pretty useful way of protecting web applications. This HOWTO concentrated on disabling HTTP methods on specified URIs but you can do quite a bit more with security constraints and future articles will cover these.