opeled
Reputation: 153
spring-boot disable HTTP methods
For Tomcat it's fairly easy to disable certain HTTP methods. Just add to the web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
How do I do the same in spring-boot?
I've tried adding the following:
@Bean
public EmbeddedServletContainerCustomizer containerCustomizer() {
return new EmbeddedServletContainerCustomizer() {
@Override
public void customize(ConfigurableEmbeddedServletContainer container) {
if (container.getClass().isAssignableFrom(TomcatEmbeddedServletContainerFactory.class)) {
TomcatEmbeddedServletContainerFactory tomcatContainer = (TomcatEmbeddedServletContainerFactory) container;
tomcatContainer.addContextCustomizers(new ContextSecurityCustomizer());
}
}
};
}
private static class ContextSecurityCustomizer implements TomcatContextCustomizer {
@Override
public void customize(Context context) {
SecurityConstraint constraint = new SecurityConstraint();
SecurityCollection securityCollection = new SecurityCollection();
securityCollection.setName("restricted_methods");
securityCollection.addPattern("/*");
securityCollection.addMethod(HttpMethod.DELETE.toString());
constraint.addCollection(securityCollection);
context.addConstraint(constraint);
}
}
with little success. The EmbeddedServletContainerCustomizer bean is created, however I can still issue DELETE requests.
Any ideas ?
Upvotes: 3
Views: 12814
Answers (2)
pradip yadav
Reputation: 143
//Restrict all method except GET & POST Spring boot
@Configuration
public class TomcatCustomizer implements EmbeddedServletContainerCustomizer {
@Override
public void customize(ConfigurableEmbeddedServletContainer container) {
TomcatEmbeddedServletContainerFactory tomcat = (TomcatEmbeddedServletContainerFactory) container;
tomcat.setSessionTimeout(8, TimeUnit.HOURS);
tomcat.addContextCustomizers(new ContextSecurityCustomizer());
}
private static class ContextSecurityCustomizer implements TomcatContextCustomizer {
@Override
public void customize(Context context) {
SecurityConstraint constraint = new SecurityConstraint();
SecurityCollection securityCollection = new SecurityCollection();
securityCollection.setName("restricted_methods");
securityCollection.addPattern("/*");
securityCollection.addOmittedMethod(HttpMethod.POST.toString());
securityCollection.addOmittedMethod(HttpMethod.GET.toString());
constraint.addCollection(securityCollection);
constraint.setAuthConstraint(true);
context.addConstraint(constraint);
}
}
}
Upvotes: 2
opeled
Reputation: 153
That happens when you forget to add:
constraint.setAuthConstraint(true);
Working now !
Upvotes: 1
Related Questions
- How to access a value defined in the application.properties file in Spring Boot
- How to use java.net.URLConnection to fire and handle HTTP requests
- What's the difference between @Component, @Repository & @Service annotations in Spring?
- How to configure port for a Spring Boot application
- Running code after Spring Boot starts
- When to use static methods
- Disable security for unit tests with spring boot
- How do I test a class that has private methods, fields or inner classes?
- Security configuration with Spring-boot
- How to mock void methods with Mockito