【Spring Boot:[Tomcat] Error parsing HTTP request header】

Spring boot: Error parsing HTTP request header

一、问题

Error parsing HTTP request header
Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level.

Error parsing HTTP request header
Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level. 
java.lang.IllegalArgumentException: Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986
	at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:468)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:260)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:745)

大致意思：请求信息中出现了错误。

二、分析

1. 一般接口都正常，只有 http://172.18.8.114:8760/api/authority/enums?ts=1654582788439&codes[]=DataScopeType 发生异常，而其中包含了"[]"特殊字符，说明是请求信息中有特殊字符导致的。

2. 异常来源，Spring boot服务，一直运行正常，由于需要对请求方法做过滤，基于内置Tomcat运行的，所以对内置的Tomcat的相关配置，而后开始出现此错误，故错误一定出现在，新增的对于Tomcat的配置。

   /**
    * 配置SpringBoot内置的Tomcat的请求接口，url在anno/下的所有接口，均不许使用"HEAD|PUT|DELETE..."等方法访问
    * @author HFL
    * @date 2022/6/19:40
    */
   @Configuration
   public class TomcatConfiguration {
   
       @Bean
       public ConfigurableServletWebServerFactory configurableServletWebServerFactory(){
           TomcatServletWebServerFactory factory = new TomcatServletWebServerFactory();
           factory.addContextCustomizers(context -> {
               SecurityConstraint securityConstraint = new SecurityConstraint();
               securityConstraint.setUserConstraint("CONFIDENTIAL");
               SecurityCollection collection = new SecurityCollection();
               collection.addPattern("/anno/*");
               collection.addMethod("HEAD");
               collection.addMethod("PUT");
               collection.addMethod("DELETE");
               collection.addMethod("TRACE");
               collection.addMethod("OPTIONS");
               collection.addMethod("PATCH");
               collection.addMethod("COPY");
               collection.addMethod("SEARCH");
               collection.addMethod("PROPFIND");
               securityConstraint.addCollection(collection);
               context.addConstraint(securityConstraint);
           });
           return factory;
       }
   
   }
   

三、解决

查找资料，找到三种解决方式：

1. 将请求参数进行encodeURI处理 （未测试 不推荐）

   encodeURL(参数)
   

2. 降低Tomcat版本，看着就不靠谱 （未测试 不推荐）

3. 增加Tomcat的TomcatServletWebServerFactory的配置，使其请求可以包含特殊字符”#<>[\]^`{|}“ （测试有效 推荐使用）

   /**
    * 配置SpringBoot内置的Tomcat的请求接口：
    * 项目请求地址是，anno/下的所有接口，
    * 均不许使用"HEAD|PUT|DELETE|TRACE|OPTIONS|PATCH|COPY|SEARCH"请求方式访问
    * @author HFL
    * @date 2022/6/19:40
    */
   @Configuration
   public class TomcatConfiguration {
   
       @Bean
       public ConfigurableServletWebServerFactory configurableServletWebServerFactory(){
           TomcatServletWebServerFactory factory = new TomcatServletWebServerFactory();
           factory.addContextCustomizers(context -> {
               SecurityConstraint securityConstraint = new SecurityConstraint();
               securityConstraint.setUserConstraint("CONFIDENTIAL");
               SecurityCollection collection = new SecurityCollection();
               collection.addPattern("/anno/*");
               collection.addMethod("HEAD");
               collection.addMethod("PUT");
               collection.addMethod("DELETE");
               collection.addMethod("TRACE");
               collection.addMethod("OPTIONS");
               collection.addMethod("PATCH");
               collection.addMethod("COPY");
               collection.addMethod("SEARCH");
               collection.addMethod("PROPFIND");
               securityConstraint.addCollection(collection);
               context.addConstraint(securityConstraint);
           });
           //请求信息中允许包含”#<>[\]^`{|}“等特殊字符
           factory.addConnectorCustomizers((Connector connector) -> {
               connector.setProperty("relaxedPathChars","\"#<>[\\]^`{|}");
               connector.setProperty("relaxedQueryChars","\"#<>[\\]^`{|}");
           });
           return factory;
       }
   
   }
   

四、注意

1. 对于ContextCustomizers的配置，是针对请求接口中出现WebDAV低危漏洞做出的处理，只出现Error parsing HTTP request header此错误，无需对ContextCustomizers进行配置，只配置特殊字符即可，如下配置。

   /**
    * 允许请求信息中允许包含#<>[\]^`{|}等特殊字符
    * @author HFL
    * @date 2022/6/19:40
    */
   @Configuration
   public class TomcatConfiguration {
   
       @Bean
       public ConfigurableServletWebServerFactory configurableServletWebServerFactory(){
           TomcatServletWebServerFactory factory = new TomcatServletWebServerFactory();
           //请求信息中允许包含"#<>[\]^`{|}"等特殊字符
           factory.addConnectorCustomizers((Connector connector) -> {
               connector.setProperty("relaxedPathChars","\"#<>[\\]^`{|}");
               connector.setProperty("relaxedQueryChars","\"#<>[\\]^`{|}");
           });
           return factory;
       }
   
   }
   

2. 文中提到的除"[]"的其他特殊字符本人未做详细测试，使用者请自行测试。

五、参考

1.异常 org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header
2.Spring boot 报错 Error parsing HTTP request header