WELOGIC&TOMCAT禁用OPTIONS方法

最新推荐文章于 2021-04-11 09:58:42 发布

这个昵称很纠结

最新推荐文章于 2021-04-11 09:58:42 发布

阅读量1.8k

点赞数

文章标签： weblogic tomcat options

本文链接：https://blog.csdn.net/sdjzuch/article/details/100881276

版权

1、验证是否允许使用OPTIONS方法请求

curl -v -X OPTIONS http://IP:PORT/SERVLETNAME

如：curl -v -X OPTIONS http://127.0.0.1:2438/custserv

如果允许OPTIONS方法则返回如下：

* About to connect() to 127.0.0.1 port 2438 (#0)
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 2438 (#0)
> OPTIONS /custserv HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 127.0.0.1:2438
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Mon, 16 Sep 2019 02:57:35 GMT
< Content-Length: 0
< Allow: GET, HEAD, POST, TRACE, OPTIONS
< Set-Cookie: JSESSIONID=m1E4AQtShXVUGHFzwY20blXiRT6ZAl-K2ZXiT2BOr5PxIpLR5kbz!-286816992; path=/; HttpOnly
< 
* Connection #0 to host 127.0.0.1 left intact

如果不允许OPTIONS方法则返回如下：

* About to connect() to 127.0.0.1 port 2438 (#0)
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 2438 (#0)
> OPTIONS /custserv HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 127.0.0.1:2438
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< Date: Mon, 16 Sep 2019 02:56:57 GMT
< Content-Length: 1468
< Content-Type: text/html; charset=UTF-8
< WWW-Authenticate: Basic realm="weblogic"
< 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Draft//EN">
<HTML>
<HEAD>
<TITLE>Error 401--Unauthorized</TITLE>
</HEAD>
<BODY bgcolor="white">
<FONT FACE=Helvetica><BR CLEAR=all>
<TABLE border=0 cellspacing=5><TR><TD><BR CLEAR=all>
<FONT FACE="Helvetica" COLOR="black" SIZE="3"><H2>Error 401--Unauthorized</H2>
</FONT></TD></TR>
</TABLE>
<TABLE border=0 width=100% cellpadding=10><TR><TD VALIGN=top WIDTH=100% BGCOLOR=white><FONT FACE="Courier New"><FONT FACE="Helvetica" SIZE="3"><H3>From RFC 2068 <i>Hypertext Transfer Protoc
ol -- HTTP/1.1</i>:</H3></FONT><FONT FACE="Helvetica" SIZE="3"><H4>10.4.2 401 Unauthorized</H4>
</FONT><P><FONT FACE="Courier New">The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to t
he requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.</FONT></P></FONT></TD></TR>
</TABLE>

</BODY>
</HTML>

2、WEBLOGIC禁用OPTIONS方法

在项目的web.xml中的最后增加

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>baseproject</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>PUT</http-method>
            <http-method>DELETE</http-method>
            <http-method>HEAD</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
        </web-resource-collection>
        <auth-constraint>
            <description>baseproject</description>
            <role-name>All Role</role-name>
        </auth-constraint>
     </security-constraint>
     <login-config>
         <auth-method>BASIC</auth-method>
     </login-config>

3、TOMCAT 禁用OPTIONS方法

在web.xml的web-app下增加

    <security-constraint>
        <web-resource-collection>
            <url-pattern>/*</url-pattern>
            <http-method>PUT</http-method>
            <http-method>DELETE</http-method>
            <http-method>HEAD</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
        </web-resource-collection>
        <auth-constraint>
        </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
    </login-config>