【CVE-2003-1567】springboot2，禁用TRACE和TRACK方法

最新推荐文章于 2024-11-15 18:38:47 发布

萧声匿迹.

最新推荐文章于 2024-11-15 18:38:47 发布

阅读量1.6k

点赞数 2

文章标签： java tomcat 安全

本文链接：https://blog.csdn.net/xshnj/article/details/131581868

版权

最近线上爆出CVE-2003-1567漏洞，经过一番查找，发现大多数介绍的都是springboot1如何禁用TRACE和TRACK方法，最后自己折腾出来了，分享一下吧`

import org.apache.catalina.Context;
 import org.apache.catalina.connector.Connector;
 import org.apache.tomcat.util.descriptor.web.SecurityCollection;
 import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.web.embedded.tomcat.TomcatConnectorCustomizer;
 import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
 import org.springframework.boot.web.servlet.server.ServletWebServerFactory;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;

 @Configuration
 public class TomcatConfig {
	 @Value("${server.port}")
	 private Integer port;
	 @Bean
	 public ServletWebServerFactory servletContainer() {
		 TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory() {
			 @Override
			 protected void postProcessContext(Context context) {
				 SecurityConstraint securityConstraint = new SecurityConstraint();
				 securityConstraint.setUserConstraint("CONFIDENTIAL");
				 SecurityCollection collection = new SecurityCollection();
				 collection.addPattern("/*");
				 collection.addMethod("HEAD");
				 collection.addMethod("PUT");
				 collection.addMethod("DELETE");
				 collection.addMethod("OPTIONS");
				 collection.addMethod("TRACE");
				 collection.addMethod("COPY");
				 collection.addMethod("SEARCH");
				 collection.addMethod("PROPFIND");
				 securityConstraint.addCollection(collection);
				 context.addConstraint(securityConstraint);
			 }
		 };
		 tomcat.addConnectorCustomizers((TomcatConnectorCustomizer) connector ->
			 connector.setAllowTrace(true));
		 return tomcat;
	 }
 }