一、项目场景:
在项目测试阶段,tomcat需要禁止一些不安全的请求,比如PUT、TRACE、OPTIONS等,这里自定义springboot中的tomcat配置类,实现禁用。
二、 解决方法:
2.1、 外置的tomcat可以直接修改config.xml文件。
2.2、1.X版本的springboot
@Configuration
public class TomcatConfig {
@Bean
public EmbeddedServletContainerFactory servletContainer() { //禁用http 不安全请求
TomcatEmbeddedServletContainerFactory tomcat = new TomcatEmbeddedServletContainerFactory() {// 1
protected void postProcessContext(Context context) {
SecurityConstraint securityConstraint = new SecurityConstraint();
securityConstraint.setUserConstraint("CONFIDENTIAL");
SecurityCollection collection = new SecurityCollection();
collection.addPattern("/*");
collection.addMethod("TRACE");
collection.addMethod("HEAD");
collection.addMethod("PUT");
collection.addMethod("DELETE");
collection.addMethod("OPTIONS");
collection.addMethod("COPY");
collection.addMethod("SEARCH");
collection.addMethod("PROPFIND");
collection.addMethod("CONNECT");
//设置使用httpOnly
context.setUseHttpOnly(true);
securityConstraint.addCollection(collection);
context.addConstraint(securityConstraint);
}
};
tomcat.addConnectorCustomizers(connector -> {
connector.setAllowTrace(true);
});
return tomcat;
}
}
2.3、springboot 2.X版本的
@Configuration
public class TomcatConfig {
@Bean
public TomcatServletWebServerFactory servletContainer() {
TomcatServletWebServerFactory tomcatServletContainerFactory = new TomcatServletWebServerFactory() {
@Override
protected void postProcessContext(Context context) {
SecurityConstraint constraint = new SecurityConstraint();
constraint.setUserConstraint("CONFIDENTIAL");
SecurityCollection collection = new SecurityCollection();
collection.addPattern("/*");
collection.addPattern("/ywyydsj/*");
collection.addMethod("HEAD");
collection.addMethod("PUT");
collection.addMethod("PATCH");
collection.addMethod("DELETE");
collection.addMethod("OPTIONS");
collection.addMethod("TRACE");
collection.addMethod("COPY");
collection.addMethod("SEARCH");
collection.addMethod("PROPFIND");
constraint.addCollection(collection);
constraint.setAuthConstraint(true);
context.addConstraint(constraint);
context.setUseHttpOnly(true);
constraint.addCollection(collection);
context.addConstraint(constraint);
}
};
tomcatServletContainerFactory.addConnectorCustomizers(connector -> {
connector.setAllowTrace(true);
});
return tomcatServletContainerFactory;
}
}
2.4、在配置application.yml时,设置port-head(我用的时候,不起作用)
spring:
tomcat:
port-header: HEAD,PUT,DELETE,OPTIONS,TRACE,COPY,SEARCH,PROPFIND