背景
因项目安全检测出现不安全请求,处于安全考虑准备禁用TRACE,HEAD,PUT,DELETE,OPTIONS请求方式,项目中请求方只用GET,POST请求
tomact中实现
在tomcat的web.xml配置文件最后加上请求方式限制,配置如下,本次使用的tomcat 8.5.31
<security-constraint> 的子元素 <http-method> 是可选的,如果没有 <http-method> 元素
这表示将禁止所有 HTTP 方法访问相应的资源。
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>TRACE</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>
springboot中实现
Spring boot使用内置tomcat,2.0版本以前使用如下形式
@Bean
public EmbeddedServletContainerFactory servletContainer() {
TomcatEmbeddedServletContainerFactory tomcat = new TomcatEmbeddedServletContainerFactory() {
protected void postProcessContext(Context context) {
SecurityConstraint securityConstraint = new SecurityConstraint();
securityConstraint.setUserConstraint("CONFIDENTIAL");
SecurityCollection collection = new SecurityCollection();
collection.addPattern("/*");
collection.addMethod("HEAD");
collection.addMethod("PUT");
collection.addMethod("DELETE");
collection.addMethod("OPTIONS");
collection.addMethod("TRACE");
collection.addMethod("COPY");
collection.addMethod("SEARCH");
collection.addMethod("PROPFIND");
securityConstraint.addCollection(collection);
context.addConstraint(securityConstraint);
}
};
//如果需要禁用TRACE请求,需添加以下代码:
tomcat.addConnectorCustomizers(connector -> {
connector.setAllowTrace(true);
});
return tomcat;
}
2.0版本使用以下形式
@Bean
public ConfigurableServletWebServerFactory configurableServletWebServerFactory() {
TomcatServletWebServerFactory factory = new TomcatServletWebServerFactory();
factory.addContextCustomizers(context -> {
SecurityConstraint securityConstraint = new SecurityConstraint();
securityConstraint.setUserConstraint("CONFIDENTIAL");
SecurityCollection collection = new SecurityCollection();
collection.addPattern("/*");
collection.addMethod("HEAD");
collection.addMethod("PUT");
collection.addMethod("DELETE");
collection.addMethod("OPTIONS");
collection.addMethod("TRACE");
collection.addMethod("COPY");
collection.addMethod("SEARCH");
collection.addMethod("PROPFIND");
securityConstraint.addCollection(collection);
context.addConstraint(securityConstraint);
});
return factory;
}
若上述方法均不生效,还可使用过滤器,限制不安全的请求,亲测有效
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
public class CorsFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) {
// TODO Auto-generated method stub
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain) throws IOException, ServletException {
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
//获取请求方式
String method=httpServletRequest .getMethod();
//判断是否包含TRACE或TRACK请求
if("TRACE".equals(method)||"TRACK".equals(method)){
httpServletResponse.setHeader("Allow", "HEAD, DELETE, POST, GET, OPTIONS, PUT");
httpServletResponse.setStatus(405);
return;
}
chain.doFilter(request, response);
//如果需要重定向到其他界面,可以用下面的方式
//if("TRACE".equals(method)||"TRACK".equals(method)){
//httpServletResponse.sendRedirect("/IPOS/User/login");
//}else {
//chain.doFilter(request, response);
//}
}
@Override
public void destroy() {
// TODO Auto-generated method stub
}
}
在启动类里注入
//bean注入
@Bean
public FilterRegistrationBean corsFilterRegistration() {
FilterRegistrationBean registration = new FilterRegistrationBean();
registration.setFilter(new CorsFilter());
registration.addUrlPatterns("/*");
registration.setName("corsFilter");
//将其注册在其他过滤器的前面
registration.setOrder(0);
return registration;
}
3575
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
