HTTP --- 基础 禁用PUT、DELETE、TRACE等方法

HTTP — 基础 禁用PUT、DELETE、TRACE等方法

HTTP 服务

在httpd.conf中增加,只允许GET、POST、OPTIONS方法

<Location "/"> AllowMethods GET POST OPTIONS </Location>

重启apache

systemctl restart httpd.service

tomcat 禁用PUT、DELETE、TRACE等危险方法

在应用程序的web.xml中添加如下的代码即可:

<security-constraint>    
	<web-resource-collection>    
		<url-pattern>/*</url-pattern>    
		<http-method>PUT</http-method>    
		<http-method>DELETE</http-method>    
		<http-method>OPTIONS</http-method>    
		<http-method>TRACE</http-method>    
	</web-resource-collection>    
	<auth-constraint>    
	</auth-constraint>    
</security-constraint>    
<login-config>    
	<auth-method>BASIC</auth-method>    
</login-config>

jetty禁用http put和delete等方法的方式

1. 基于xml的配置方式

<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>

2. springboot项目,容器是jetty,版本 springboot 2.X


```java
@Bean
public JettyServletWebServerFactory createJettyServletWebServerFactory() {
return new JettyServletWebServerFactory(){
@Override
protected void postProcessWebAppContext(WebAppContext webAppContext) {

HttpConstraintElement disable = new HttpConstraintElement(ServletSecurity.EmptyRoleSemantic.DENY);
HttpMethodConstraintElement put = new HttpMethodConstraintElement("PUT", disable);
HttpMethodConstraintElement delete = new HttpMethodConstraintElement("DELETE", disable);
HttpMethodConstraintElement head = new HttpMethodConstraintElement("HEAD", disable);


ServletSecurityElement sse = new ServletSecurityElement(Arrays.asList(put, delete, head));
List<ConstraintMapping> mappings = ConstraintSecurityHandler.createConstraintsWithMappingsForPath("disable", "/*", sse);

ConstraintSecurityHandler csh = new ConstraintSecurityHandler();
csh.setConstraintMappings(mappings);
webAppContext.setSecurityHandler(csh);
}
};
}

*备注:不允许的情况下访问就会报告 http 403 forbidden 错误。*





已标记关键词 清除标记
©️2020 CSDN 皮肤主题: 大白 设计师:CSDN官方博客 返回首页