[WebLogic] security-constraint in web.xml

1. 개요

web.xml J2EE Spec에서 security-constraint 기술 사용법에 대해서 간략하게 설명한다.

2. HTTP-METHOD 제한

<web-app>
  <security-constraint>
    <web-resource-collection>
        <web-resource-name>Secured</web-resource-name>
        <url-pattern>/secured/*</url-pattern>
        <http-method>POST</http-method>
		<http-method>GET</http-method>
    </web-resource-collection>
	<auth-constraint />
  </security-constraint>
</web-app>

curl -X GET/POST 호출에 대해서는 HTTP 403 Forbidden 발생한다.

/secured/* URI에 대해서는 POST/GET method를 아무도 접근하지 못하도록 <auth-constraint /> 설정한다.

중요한 포인트는 auth-constraint 이다.

3. HTTPS으로 Redirect

<web-app>
  <security-constraint>
    <web-resource-collection>
        <web-resource-name>Secured</web-resource-name>
        <url-pattern>/secured/*</url-pattern>
        <http-method>POST</http-method>
		<http-method>GET</http-method>
    </web-resource-collection>
    <user-data-constraint>
        <!--<transport-guarantee>CONFIDENTIAL</transport-guarantee>-->
        <transport-guarantee>INTEGRAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>
</web-app>

transport-guarantee 옵션이 CONFIDENTIAL 또는 INTEGRAL 일 경우, HTTPS 로 Redirect(302) 처리 된다.

이때, WAS에 SSL 수신 포트가 활성화되어 있어야 한다.

curl -X POST/GET 요청에 대해서는 HTTPS 로 전환된다.

그 외 요청들은 전환되지 않는다.

중요한 포인트는 auth-constraint 가 없다는 것이다. METHOD를 제한하지 않으니, TRACE,OPTIONS,DELETE,HEAD 등.. 모든 METHOD를 허용한다.

4. 결합 옵션

<web-app>
  <security-constraint>
    <web-resource-collection>
        <web-resource-name>Secured</web-resource-name>
        <url-pattern>/secured/*</url-pattern>
        <http-method>POST</http-method>
		<http-method>GET</http-method>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>
  
  <security-constraint>
    <web-resource-collection>
        <web-resource-name>Secured_Method_Restrict</web-resource-name>
        <url-pattern>/secured/*</url-pattern>
        <http-method>HEAD</http-method>
        <http-method>DELETE</http-method>
        <http-method>PUT</http-method>
        <http-method>OPTIONS</http-method>
        <http-method>TRACE</http-method>
        <http-method>PATCH</http-method>
        <http-method>COPY</http-method>
        <http-method>MOVE</http-method>
    </web-resource-collection>
    <auth-constraint />
  </security-constraint>
</web-app>

POST/GET 은 HTTPS 전환되어 보호되고,

그 외 METHOD는 접근 거부된다.

5. References

http-method 와 transport-guarantee 으로 애플리케이션 요청을 보호하는 방법 (Doc ID 2947435.1)

HTTP 사용자 요청을 HTTPS로 리다이렉트하는 방법 (Doc ID 1557741.1)

web.xml Deployment Descriptors

Restricting the use of HTTP methods

웹 모듈 보안 설정

Java EE Security Essentials

Warning: JACC: For the URL pattern xxx, all but the following methods were uncovered: POST, GET

웹취약점 Tomcat http-method 처리..TRACE

Tomcat SSL 적용 + HTTP METHODS제한

[Spring & Tomcat ] Https 설정하기