spring boot使用内嵌的tomcat解决不安全的HTTP方法安全漏洞

最新推荐文章于 2024-07-29 09:37:33 发布

caodongfang126

最新推荐文章于 2024-07-29 09:37:33 发布

阅读量2.1k

点赞数

分类专栏： springboot

springboot 专栏收录该内容

39 篇文章 1 订阅

订阅专栏

一：传统Web项目的解决方案：
在tomcat的web.xml配置文件中，对不安全的方法进行拦截：
<security-constraint>
            <web-resource-collection>
                <url-pattern>/*</url-pattern>
                <http-method>HEAD</http-method>
                <http-method>PUT</http-method>
                <http-method>DELETE</http-method>
                <http-method>OPTIONS</http-method>
                <http-method>TRACE</http-method>
                <http-method>COPY</http-method>
                <http-method>SEARCH</http-method>
                <http-method>PROPFIND</http-method>
            </web-resource-collection>
            <auth-constraint>
            </auth-constraint>
</security-constraint>

如果需要禁用TRACE请求，还需要修改tomcat的server.xml配置文件(在server.xml中先允许TRACE请求，再在web.xml中禁用TRACE)：
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" allowTrace="true"
redirectPort="8443" />

二：spring boot的解决方案：
1.众所周知，spring boot的容器是内嵌的，是没有web.xml给我们配置的，所有的配置都是在properties文件中进行配置的，所以我们的思路也是在properties文件中增加tomcat的相关配置。
#解决不安全的HTTP方法漏洞
server.tomcat.port-header=HEAD,PUT,DELETE,OPTIONS,TRACE,COPY,SEARCH,PROPFIND

2.代码的方式增加tomcat的配置(本人测试上面配置文件方式不生效，这种方式可以，如有不同看法请留言)，代码如下：
package com.xzp;

import org.apache.catalina.Context;
import org.apache.tomcat.util.descriptor.web.SecurityCollection;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.autoconfigure.session.SessionAutoConfiguration;
import org.springframework.boot.context.embedded.EmbeddedServletContainerFactory;
import org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainerFactory;
import org.springframework.cloud.client.circuitbreaker.EnableCircuitBreaker;
import org.springframework.cloud.netflix.feign.EnableFeignClients;
import org.springframework.cloud.netflix.zuul.EnableZuulProxy;
import org.springframework.context.annotation.Bean;

@SpringBootApplication(exclude = { SessionAutoConfiguration.class })
@EnableZuulProxy
public class ApiGatewayServerApplictation {

    public static void main(String[] args) {
        SpringApplication.run(ApiGatewayServerApplictation.class, args);
    }
    //主要是以下代码：
    @Bean
    public EmbeddedServletContainerFactory servletContainer() {
        TomcatEmbeddedServletContainerFactory tomcat = new TomcatEmbeddedServletContainerFactory() {// 1
            protected void postProcessContext(Context context) {
                SecurityConstraint securityConstraint = new SecurityConstraint();
                securityConstraint.setUserConstraint("CONFIDENTIAL");
                SecurityCollection collection = new SecurityCollection();
                collection.addPattern("/*");
                collection.addMethod("HEAD");
                collection.addMethod("PUT");
                collection.addMethod("DELETE");
                collection.addMethod("OPTIONS");
                collection.addMethod("TRACE");
                collection.addMethod("COPY");
                collection.addMethod("SEARCH");
                collection.addMethod("PROPFIND");
                securityConstraint.addCollection(collection);
                context.addConstraint(securityConstraint);
            }
        };
        //如果需要禁用TRACE请求，需添加以下代码：
        tomcat.addConnectorCustomizers(connector -> {
            connector.setAllowTrace(true);
        });
        return tomcat;
    }