Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-7658

Use white-list instead of black-list of allowed HTTP methods in web.xml

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 7.0.0, EJBCA 6.15.2
    • Component/s: None
    • Labels:
      None
    • Environment:
      Wildfly 14
    • Issue discovered during:
      Integration
    • Epic Link:
    • Sprint:
      EJBCA Team Bob - 2019 w2

      Description

      On Wildfly 14 we now allow HTTP CONNECT, since it isn't black-listed. Using a white-list would prevent unintentional white-listing in the future.

      With JEE6 we can use http-method-omission instead of http-method in our {{web.xml}}s.

      We commonly have (with variations):

          <security-constraint>
              <web-resource-collection>
                  <web-resource-name>restricted methods</web-resource-name>
                  <url-pattern>/*</url-pattern>
                  <http-method>PUT</http-method>
                  <http-method>DELETE</http-method>
                  <http-method>OPTIONS</http-method>
                  <http-method>TRACE</http-method>
              </web-resource-collection>
              <auth-constraint />
          </security-constraint> 
      

      but we should have (with variations):

          <security-constraint>
              <web-resource-collection>
                  <web-resource-name>restricted methods</web-resource-name>
                  <url-pattern>/*</url-pattern>
                  <http-method-omission>HEAD</http-method-omission>
                  <http-method-omission>POST</http-method-omission>
                  <http-method-omission>GET</http-method-omission>
              </web-resource-collection>
              <auth-constraint />
          </security-constraint> 
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                johan Johan Eklund
                Reporter:
                johan Johan Eklund
                Verified by:
                Samuel Lidén Borell
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: