一、項目場景:
在項目測試階段,tomcat需要禁止一些不安全的請求,比如PUT、TRACE、OPTIONS等,這裡自定義springboot中的tomcat配置類,實作禁用。
二、 解決方法:
2.1、 外置的tomcat可以直接修改config.xml檔案。
2.2、1.X版本的springboot
@Configuration
public class TomcatConfig {
@Bean
public EmbeddedServletContainerFactory servletContainer() { //禁用http 不安全請求
TomcatEmbeddedServletContainerFactory tomcat = new TomcatEmbeddedServletContainerFactory() {// 1
protected void postProcessContext(Context context) {
SecurityConstraint securityConstraint = new SecurityConstraint();
securityConstraint.setUserConstraint("CONFIDENTIAL");
SecurityCollection collection = new SecurityCollection();
collection.addPattern("/*");
collection.addMethod("TRACE");
collection.addMethod("HEAD");
collection.addMethod("PUT");
collection.addMethod("DELETE");
collection.addMethod("OPTIONS");
collection.addMethod("COPY");
collection.addMethod("SEARCH");
collection.addMethod("PROPFIND");
collection.addMethod("CONNECT");
//設定使用httpOnly
context.setUseHttpOnly(true);
securityConstraint.addCollection(collection);
context.addConstraint(securityConstraint);
}
};
tomcat.addConnectorCustomizers(connector -> {
connector.setAllowTrace(true);
});
return tomcat;
}
}
2.3、springboot 2.X版本的
@Configuration
public class TomcatConfig {
@Bean
public TomcatServletWebServerFactory servletContainer() {
TomcatServletWebServerFactory tomcatServletContainerFactory = new TomcatServletWebServerFactory() {
@Override
protected void postProcessContext(Context context) {
SecurityConstraint constraint = new SecurityConstraint();
constraint.setUserConstraint("CONFIDENTIAL");
SecurityCollection collection = new SecurityCollection();
collection.addPattern("/*");
collection.addPattern("/ywyydsj/*");
collection.addMethod("HEAD");
collection.addMethod("PUT");
collection.addMethod("PATCH");
collection.addMethod("DELETE");
collection.addMethod("OPTIONS");
collection.addMethod("TRACE");
collection.addMethod("COPY");
collection.addMethod("SEARCH");
collection.addMethod("PROPFIND");
constraint.addCollection(collection);
constraint.setAuthConstraint(true);
context.addConstraint(constraint);
context.setUseHttpOnly(true);
constraint.addCollection(collection);
context.addConstraint(constraint);
}
};
tomcatServletContainerFactory.addConnectorCustomizers(connector -> {
connector.setAllowTrace(true);
});
return tomcatServletContainerFactory;
}
}
2.4、在配置application.yml時,設定port-head(我用的時候,不起作用)
spring:
tomcat:
port-header: HEAD,PUT,DELETE,OPTIONS,TRACE,COPY,SEARCH,PROPFIND