其实禁用OPTIONS TRACE 等动词就是禁用webdev协议
打开tomcat–>conf–>web.xml 文件:
将以下代码注释或删除:
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
替换为:
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
id="WebApp_ID" version="3.0">
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>PATCH</http-method>
<http-method>DELETE</http-method>
<http-method>COPY</http-method>
<http-method>OPTIONS</http-method>
<http-method>LINK</http-method>
<http-method>UNLINK</http-method>
<http-method>PURGE</http-method>
<http-method>LOCK</http-method>
<http-method>UNLOCK</http-method>
<http-method>PROPFIND</http-method>
<http-method>VIEW</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>DIGEST</auth-method>
</login-config>
然后继续修改server.xml(处理trace和Coyote/1.1):
添加:
allowTrace="true" server="x"
启动APR模式:
对connector 的 protocol 进行修改
将
HTTP/1.1
修改为
org.apache.coyote.http11.Http11AprProtocol
结果如下
<Connector port="80" protocol="org.apache.coyote.http11.Http11AprProtocol"
connectionTimeout="20000"
redirectPort="8443" />
在catalina.bat中找到setlocal添加CATALINA_OPTS参数具体如下
setlocal
set CATALINA_OPTS="-Djava.library.path=%CATALINA_HOME%\bin"