springboot使用undertow服务器禁用TRACE请求

碧竹542

已于 2024-02-21 14:45:25 修改

阅读量491

点赞数 8

文章标签： spring boot 服务器后端

于 2024-02-21 14:40:49 首次发布

本文链接：https://blog.csdn.net/qq_16171201/article/details/136211010

版权

问题描述：

今日在工作中遇到服务器被扫描出一个漏洞，描述如下：
风险描述：远程 Web 服务器支持 TRACE 和/或 TRACK方法。TRACE和 TRACK 是用于调试 Web 服务器连接的 HTTP 方法。
风险影响：通过一个跨站追踪攻击窃职 cookies 和验证信任

使用框架

springboot + redis +mybatis
web服务使用springboot 内嵌web服务 undertow
配置如下：

        <!-- SpringBoot Web容器 -->
         <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
             <exclusions>
                 <exclusion>
                     <artifactId>spring-boot-starter-tomcat</artifactId>
                     <groupId>org.springframework.boot</groupId>
                 </exclusion>
             </exclusions>
        </dependency>
        <!-- web 容器使用 undertow 性能更强 -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-undertow</artifactId>
        </dependency>
   <dependency>
        <groupId>io.undertow</groupId>
        <artifactId>undertow-servlet</artifactId>
    </dependency>

在网上找啊找啊，大多是tomcat的，终于找到一个

@Bean
public UndertowEmbeddedServletContainerFactory embeddedServletContainerFactory() {
    UndertowEmbeddedServletContainerFactory factory = new UndertowEmbeddedServletContainerFactory();
    factory.addBuilderCustomizers(new UndertowBuilderCustomizer() {

        @Override
        public void customize(Builder builder) {
            builder.addHttpListener(8080, "0.0.0.0");
        }

    });
    return factory;
}

很遗憾不能用，各种类找不到BUG，接续找，终于找到springboot 2.0之后类名字变更，所以修改如下：

package com.ruoyi.medicine.config;

import io.undertow.servlet.api.DeploymentInfo;
import io.undertow.servlet.api.SecurityConstraint;
import io.undertow.servlet.api.WebResourceCollection;
import org.springframework.boot.web.embedded.undertow.UndertowDeploymentInfoCustomizer;
import org.springframework.boot.web.embedded.undertow.UndertowServletWebServerFactory;
import org.springframework.boot.web.server.WebServerFactory;
import org.springframework.boot.web.server.WebServerFactoryCustomizer;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;

/**
 * @author wang'hai'yang
 * @Description:
 * @date 2024/2/2110:46
 */
@Configuration
public class EmbeddedServletContainerCustomizerConfig {

    @Bean
    public WebServerFactoryCustomizer containerCustomizer() {
        return new WebServerFactoryCustomizer() {
            @Override
            public void customize(WebServerFactory factory) {
                if(factory.getClass().isAssignableFrom(UndertowServletWebServerFactory.class)){
                    UndertowServletWebServerFactory underTowContainer = (UndertowServletWebServerFactory) factory;
                    underTowContainer.addDeploymentInfoCustomizers(new ContextSecurityCustomizer());
                }
            }
        };
    }

    private static class ContextSecurityCustomizer implements UndertowDeploymentInfoCustomizer {
        @Override
        public void customize(DeploymentInfo deploymentInfo) {
            SecurityConstraint constraint = new SecurityConstraint();
            WebResourceCollection traceWebresource = new WebResourceCollection();
            traceWebresource.addUrlPattern("/*");
            traceWebresource.addHttpMethod(HttpMethod.TRACE.toString());
            constraint.addWebResourceCollection(traceWebresource);
            deploymentInfo.addSecurityConstraint(constraint);
        }
    }
}