【发布时间】:2016-05-10 02:31:52
【问题描述】:
对于 Tomcat,禁用某些 HTTP 方法相当容易。只需添加到 web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
我如何在 spring-boot 中做同样的事情?
我尝试添加以下内容:
@Bean
public EmbeddedServletContainerCustomizer containerCustomizer() {
return new EmbeddedServletContainerCustomizer() {
@Override
public void customize(ConfigurableEmbeddedServletContainer container) {
if (container.getClass().isAssignableFrom(TomcatEmbeddedServletContainerFactory.class)) {
TomcatEmbeddedServletContainerFactory tomcatContainer = (TomcatEmbeddedServletContainerFactory) container;
tomcatContainer.addContextCustomizers(new ContextSecurityCustomizer());
}
}
};
}
private static class ContextSecurityCustomizer implements TomcatContextCustomizer {
@Override
public void customize(Context context) {
SecurityConstraint constraint = new SecurityConstraint();
SecurityCollection securityCollection = new SecurityCollection();
securityCollection.setName("restricted_methods");
securityCollection.addPattern("/*");
securityCollection.addMethod(HttpMethod.DELETE.toString());
constraint.addCollection(securityCollection);
context.addConstraint(constraint);
}
}
收效甚微。 EmbeddedServletContainerCustomizer bean 已创建,但我仍然可以发出 DELETE 请求。
有什么想法吗?
【问题讨论】:
标签: java tomcat spring-boot