一个B/S系统进行安全测评,返回结果要求禁用一些不常用的HTTP方法(PUT、DELTETE、OPTIONS等),按照网上的方法,在应用的web.xml的最后添加如下代码:
<!--安全配置 start -->
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<!--安全配置 end-->
上面的几个HTTP方法有效被禁用,但请求会跳转到tomcat的403页面,如下图:
按照测试要求,上图红色部分暴露的tomcat的版本,应该自定义403页面以屏蔽版本,于是在上面的安全配置后添加如下代码:
<error-page>
<error-code>404</error-code>
<location>/sys/404.html</location>
</error-page>
<error-page>
<error-code>403</error-code>
<location>/sys/403.html</location>
</error-page>
结果是。。。。。。。。。。根本没用,并且HTTP的限制也不起作用了。
试了一番,发现404,500等error-code都正常,并且与HTTP限制不冲突。
只要加上403,HTTP方法就限制不了,并且也不会跳转到自定义的403.html。
完整web.xml如下:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<!--安全配置 start-->
<display-name>BISMFramework</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<!--安全配置 end -->
<!--############################ 服务器基本配置 start ############################-->
<!--会话超时配置,单位分钟-->
<session-config>
<session-timeout>-1</session-timeout>
</session-config>
<!--############################ 服务器基本配置 end ############################-->
<!--############################ Spring MVC配置 start ############################-->
<servlet>
<servlet-name>springmvc</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring-mvc.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>springmvc</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<!--处理编码,将请求的编码转换为utf-8-->
<filter>
<filter-name>encodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>utf-8</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>/</url-pattern>
</filter-mapping>
<!--############################ Spring MVC配置 end ############################-->
<!--############################ Spring配置 start ############################-->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- 指定Spring Bean的配置文件所在目录。默认配置在WEB-INF目录下 -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:applicationContext.xml</param-value>
</context-param>
<!--############################ Spring配置 end ############################-->
<!--安全配置 start -->
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<!--安全配置 end-->
<error-page>
<error-code>404</error-code>
<location>/sys/404.html</location>
</error-page>
<error-page>
<error-code>403</error-code>
<location>/sys/403.html</location>
</error-page>
</web-app>