I'm using Tomcat for my Struts2 application. The web.xml has certain entries as shown below:
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>no_access</web-resource-name>
<url-pattern>/jsp/*</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>no_access</web-resource-name>
<url-pattern>/myrrunner/*</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
How can I change above blacklisted parts to use only whitelisting part... For example, instead of blacklisting PUT, DELTE http methods, I need to whitelist other methods but I'm not sure the syntax of whitelisting them & what methods to whitelist them.
For my above web.xml snippet, I'll appreciate if some one can provide me whitelisitng counter part for above xml.
EDIT: Also, how would I really verify whether the solution works or not?
Thanks
I would try the following:
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<!-- no auth-constraint tag here -->
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
The first security-constraint does not have any auth-constraint, so the GET and POST methods are available to anyone without login. The second restricts other http methods for everybody. (I haven't tried it.)