如何禁止不必要的 HTTP 方法，如DELETE，PUT，OPTIONS等协议访问应用程序

一、修改应用程序的server.xml文件的协议为HTTPS,

 <Connector SSLEnabled="true" port="8080" acceptCount="100" clientAuth="false"
    disableUploadTimeout="true" enableLookups="false" maxThreads="25"
     keystoreFile="d:\tomcat.keystore" keystorePass="111111"
    protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" URIEncoding="utf-8"
    secure="true" sslProtocol="TLS"
  ciphers="TLS_RSA_WITH_AES_128_CBC_SHA"

  /> 

 

二、将以下代码放到web.xml中

 <!--
 如果是https不用注释  -->
 <security-constraint>
  <web-resource-collection>
   <web-resource-name>securedapp</web-resource-name>
   <url-pattern>/*</url-pattern>
   <http-method>PUT</http-method> 
<http-method>DELETE</http-method> 
<http-method>HEAD</http-method> 
<http-method>OPTIONS</http-method> 
<http-method>TRACE</http-method>
  </web-resource-collection>
  <auth-constraint> 
   </auth-constraint>
  <user-data-constraint>
   <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
  
 </security-constraint>