톰캣 HTTP 메소드 제한하기

✔️ 우분투12 + 톰캣7에서 테스트하였습니다.

Disabling HTTP methods in Apache Tomcat
톰캣 HTTP 메소드 제한하기

1 확인[ | ]

root@zetawiki:~# curl -I -X GET localhost:8080 
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"1887-1463106734000"
Last-Modified: Fri, 13 May 2016 02:32:14 GMT
Content-Type: text/html
Content-Length: 1887
Date: Fri, 13 May 2016 14:22:07 GMT

root@zetawiki:~# curl -I -X POST localhost:8080
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"1887-1463106734000"
Last-Modified: Fri, 13 May 2016 02:32:14 GMT
Content-Type: text/html
Content-Length: 1887
Date: Fri, 13 May 2016 14:22:28 GMT

root@zetawiki:~# curl -I -X OPTIONS localhost:8080 
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS
Content-Length: 0
Date: Fri, 13 May 2016 14:21:49 GMT

→ GET, POST, OPTIONS 메소드 허용됨

2 web.xml 위치 확인[ | ]

web.xml 위치 확인 문서를 참고하십시오.

root@zetawiki:~# netstat -tnlp | grep java
tcp        0      0 127.0.0.1:8005          0.0.0.0:*               LISTEN      6286/java       
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      6286/java

root@zetawiki:~# ps -ef | grep 6286 | grep -v grep
tomcat7   6286     1  0 11:52 ?        00:00:13 /usr/lib/jvm/java-6-sun/bin/java -Djava.util.logging.config.file=/var/lib/tomcat7/conf/logging.properties -Djava.awt.headless=true -Xmx128m -XX:+UseConcMarkSweepGC -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs=/usr/share/tomcat7/endorsed -classpath /usr/share/tomcat7/bin/bootstrap.jar:/usr/share/tomcat7/bin/tomcat-juli.jar -Dcatalina.base=/var/lib/tomcat7 -Dcatalina.home=/usr/share/tomcat7 -Djava.io.tmpdir=/tmp/tomcat7-tomcat7-tmp org.apache.catalina.startup.Bootstrap start

catalina.base 는 /var/lib/tomcat7 폴더

root@zetawiki:~# find -L /var/lib/tomcat7/ -name web.xml
/var/lib/tomcat7/conf/web.xml

3 web.xml 수정[ | ]

web.xml 하단 내용 확인

root@zetawiki:~# cat /var/lib/tomcat7/conf/web.xml | tail -7
    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
        <welcome-file>index.htm</welcome-file>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>

</web-app>

web.xml 하단에 내용 추가

root@zetawiki:~# vi /var/lib/tomcat7/conf/web.xml

... (생략)
    <security-constraint>
        <web-resyntaxhighlight-collection>
            <web-resyntaxhighlight-name>Forbidden</web-resyntaxhighlight-name>
            <url-pattern>/*</url-pattern>
            <http-method>POST</http-method>
            <http-method>OPTIONS</http-method>
        </web-resyntaxhighlight-collection>
        <auth-constraint />
    </security-constraint>
</web-app>

→ POST, OPTIONS 메소드를 제한함

4 톰캣 재시작[ | ]

root@zetawiki:~# service tomcat7 restart
 * Stopping Tomcat servlet engine tomcat7                            [ OK ] 
 * Starting Tomcat servlet engine tomcat7                            [ OK ]

5 확인 2[ | ]

root@zetawiki:~# curl -I -X GET localhost:8080
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"1887-1463106734000"
Last-Modified: Fri, 13 May 2016 02:32:14 GMT
Content-Type: text/html
Content-Length: 1887
Date: Fri, 13 May 2016 14:23:25 GMT

root@zetawiki:~# curl -I -X POST localhost:8080
HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Length: 1108
Date: Fri, 13 May 2016 14:23:35 GMT
ㅁㄴㅇㅁㄴㅇ
root@zetawiki:~# curl -I -X OPTIONS localhost:8080
HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Cache-Control: private
Expires: Thu, 01 Jan 1970 09:00:00 KST
Content-Type: text/html;charset=utf-8
Content-Length: 1108
Date: Fri, 13 May 2016 14:23:45 GMT

→ POST, OPTIONS는 403 Forbidden

6 같이 보기[ | ]

아파치 HTTP 메소드 제한하기

7 참고[ | ]

http://stackoverflow.com/questions/320959/disabling-put-trace-delete-request-in-apache-tomcat-6-0