远端WWW服务支持TRACE请求

远端WWW服务支持TRACE请求_第1张图片

TOMCAT

  • tomcatweb.xml配置文件中,对不安全的方法进行拦截,禁用TRACEHEADPUTDELETEOPTIONS请求方式:
  
     
      /*  
      PUT  
	  DELETE  
	  HEAD  
	  OPTIONS  
	  TRACE  
     
     
     
  
  • tomcat的在server.xml中先允许TRACE请求,再在web.xml中禁用TRACE,以此禁用TRACE请求(广大网友都是这样实现的,不明白ing)

SpringBoot

  • TomcatConfig.java
import org.apache.catalina.Context;
import org.apache.tomcat.util.descriptor.web.SecurityCollection;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.springframework.boot.context.embedded.EmbeddedServletContainerFactory;
import org.springframework.boot.context.embedded.tomcat.TomcatContextCustomizer;
import org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class TomcatConfig {
	
	@Bean
    public EmbeddedServletContainerFactory servletContainer() {
        TomcatEmbeddedServletContainerFactory tomcatServletContainerFactory = new TomcatEmbeddedServletContainerFactory();
        tomcatServletContainerFactory.addContextCustomizers(new TomcatContextCustomizer(){
			@Override
			public void customize(Context context) {
				SecurityConstraint securityConstraint  = new SecurityConstraint();
				securityConstraint.setUserConstraint("CONFIDENTIAL");  
				SecurityCollection collection = new SecurityCollection();
				
				collection.addPattern("/*");  
                collection.addMethod("HEAD");  
                collection.addMethod("PUT");  
                collection.addMethod("DELETE");  
                collection.addMethod("OPTIONS");  
                collection.addMethod("TRACE");  
                collection.addMethod("COPY");  
                collection.addMethod("SEARCH");  
                collection.addMethod("PROPFIND");  
                securityConstraint .addCollection(collection);  
                context.addConstraint(securityConstraint );  
			}
        });
        
        //禁用TRACE请求
        tomcatServletContainerFactory.addConnectorCustomizers(connector -> {
            connector.setAllowTrace(true);
        });
        return tomcatServletContainerFactory;
    }
}

.end

你可能感兴趣的:(远端WWW服务支持TRACE请求)