[WebLogic] security-constraint in web.xml
1. 개요
web.xml J2EE Spec에서 security-constraint 기술 사용법에 대해서 간략하게 설명한다.
2. HTTP-METHOD 제한
1
2
3
4
5
6
7
8
9
10
11
<web-app>
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured</web-resource-name>
<url-pattern>/secured/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
</web-app>
curl -X GET/POST
호출에 대해서는 HTTP 403 Forbidden
발생한다.
/secured/*
URI에 대해서는 POST/GET method를 아무도 접근하지 못하도록 <auth-constraint />
설정한다.
중요한 포인트는 auth-constraint
이다.
3. HTTPS으로 Redirect
1
2
3
4
5
6
7
8
9
10
11
12
13
14
<web-app>
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured</web-resource-name>
<url-pattern>/secured/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<user-data-constraint>
<!--<transport-guarantee>CONFIDENTIAL</transport-guarantee>-->
<transport-guarantee>INTEGRAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
</web-app>
transport-guarantee
옵션이 CONFIDENTIAL 또는 INTEGRAL 일 경우, HTTPS 로 Redirect(302) 처리 된다.
이때, WAS에 SSL 수신 포트가 활성화되어 있어야 한다.
curl -X POST/GET
요청에 대해서는 HTTPS 로 전환된다.
그 외 요청들은 전환되지 않는다.
중요한 포인트는 auth-constraint
가 없다는 것이다. METHOD를 제한하지 않으니, TRACE,OPTIONS,DELETE,HEAD 등.. 모든 METHOD를 허용한다.
4. 결합 옵션
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<web-app>
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured</web-resource-name>
<url-pattern>/secured/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured_Method_Restrict</web-resource-name>
<url-pattern>/secured/*</url-pattern>
<http-method>HEAD</http-method>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>PATCH</http-method>
<http-method>COPY</http-method>
<http-method>MOVE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
</web-app>
POST/GET 은 HTTPS 전환되어 보호되고,
그 외 METHOD는 접근 거부된다.
5. References
http-method 와 transport-guarantee 으로 애플리케이션 요청을 보호하는 방법 (Doc ID 2947435.1)
HTTP 사용자 요청을 HTTPS로 리다이렉트하는 방법 (Doc ID 1557741.1)
web.xml Deployment Descriptors
Restricting the use of HTTP methods
Warning: JACC: For the URL pattern xxx, all but the following methods were uncovered: POST, GET
웹취약점 Tomcat http-method 처리..TRACE