HTTP — 基础 禁用PUT、DELETE、TRACE等方法
HTTP 服务
在httpd.conf中增加,只允许GET、POST、OPTIONS方法
<Location "/"> AllowMethods GET POST OPTIONS </Location>
重启apache
systemctl restart httpd.service
tomcat 禁用PUT、DELETE、TRACE等危险方法
在应用程序的web.xml中添加如下的代码即可:
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
jetty禁用http put和delete等方法的方式
1. 基于xml的配置方式
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>
2. springboot项目,容器是jetty,版本 springboot 2.X
```java
@Bean
public JettyServletWebServerFactory createJettyServletWebServerFactory() {
return new JettyServletWebServerFactory(){
@Override
protected void postProcessWebAppContext(WebAppContext webAppContext) {
HttpConstraintElement disable = new HttpConstraintElement(ServletSecurity.EmptyRoleSemantic.DENY);
HttpMethodConstraintElement put = new HttpMethodConstraintElement("PUT", disable);
HttpMethodConstraintElement delete = new HttpMethodConstraintElement("DELETE", disable);
HttpMethodConstraintElement head = new HttpMethodConstraintElement("HEAD", disable);
ServletSecurityElement sse = new ServletSecurityElement(Arrays.asList(put, delete, head));
List<ConstraintMapping> mappings = ConstraintSecurityHandler.createConstraintsWithMappingsForPath("disable", "/*", sse);
ConstraintSecurityHandler csh = new ConstraintSecurityHandler();
csh.setConstraintMappings(mappings);
webAppContext.setSecurityHandler(csh);
}
};
}
*备注:不允许的情况下访问就会报告 http 403 forbidden 错误。*