spring-boot disable HTTP methods

3
votes

For Tomcat it's fairly easy to disable certain HTTP methods. Just add to the web.xml:

    <security-constraint>
    <web-resource-collection>
        <web-resource-name>restricted methods</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>PUT</http-method>
        <http-method>DELETE</http-method>
        <http-method>HEAD</http-method>
        <http-method>OPTIONS</http-method>
        <http-method>TRACE</http-method>
    </web-resource-collection>
    <auth-constraint/>
</security-constraint>

How do I do the same in spring-boot?
I've tried adding the following: 

@Bean
public EmbeddedServletContainerCustomizer containerCustomizer() {
    return new EmbeddedServletContainerCustomizer() {
        @Override
        public void customize(ConfigurableEmbeddedServletContainer container) {
            if (container.getClass().isAssignableFrom(TomcatEmbeddedServletContainerFactory.class)) {
                TomcatEmbeddedServletContainerFactory tomcatContainer = (TomcatEmbeddedServletContainerFactory) container;
                tomcatContainer.addContextCustomizers(new ContextSecurityCustomizer());
            }
        }
    };
}

private static class ContextSecurityCustomizer implements TomcatContextCustomizer {
    @Override
    public void customize(Context context) {
        SecurityConstraint constraint = new SecurityConstraint();
        SecurityCollection securityCollection = new SecurityCollection();
        securityCollection.setName("restricted_methods");
        securityCollection.addPattern("/*");
        securityCollection.addMethod(HttpMethod.DELETE.toString());
        constraint.addCollection(securityCollection);
        context.addConstraint(constraint);
    }
}

with little success. The EmbeddedServletContainerCustomizer bean is created, however I can still issue DELETE requests.
Any ideas ?

2
javatomcatspring-boot

2 Answers

2
votes
//Restrict all method except GET & POST Spring boot
@Configuration
public class TomcatCustomizer implements EmbeddedServletContainerCustomizer {

    @Override
    public void customize(ConfigurableEmbeddedServletContainer container) {
        TomcatEmbeddedServletContainerFactory tomcat = (TomcatEmbeddedServletContainerFactory) container;
        tomcat.setSessionTimeout(8, TimeUnit.HOURS);
        tomcat.addContextCustomizers(new ContextSecurityCustomizer());

    }
    private static class ContextSecurityCustomizer implements TomcatContextCustomizer {
        @Override
        public void customize(Context context) {
            SecurityConstraint constraint = new SecurityConstraint();
            SecurityCollection securityCollection = new SecurityCollection();
            securityCollection.setName("restricted_methods");
            securityCollection.addPattern("/*");
            securityCollection.addOmittedMethod(HttpMethod.POST.toString());
            securityCollection.addOmittedMethod(HttpMethod.GET.toString());
            constraint.addCollection(securityCollection);
            constraint.setAuthConstraint(true);
            context.addConstraint(constraint);
        }
    }

}
1
votes

That happens when you forget to add:

constraint.setAuthConstraint(true);

Working now !