【问题标题】:spring-boot disable HTTP methodsspring-boot 禁用 HTTP 方法
【发布时间】:2016-05-10 02:31:52
【问题描述】:

对于 Tomcat,禁用某些 HTTP 方法相当容易。只需添加到 web.xml:

    <security-constraint>
    <web-resource-collection>
        <web-resource-name>restricted methods</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>PUT</http-method>
        <http-method>DELETE</http-method>
        <http-method>HEAD</http-method>
        <http-method>OPTIONS</http-method>
        <http-method>TRACE</http-method>
    </web-resource-collection>
    <auth-constraint/>
</security-constraint>

我如何在 spring-boot 中做同样的事情?
我尝试添加以下内容:

@Bean
public EmbeddedServletContainerCustomizer containerCustomizer() {
    return new EmbeddedServletContainerCustomizer() {
        @Override
        public void customize(ConfigurableEmbeddedServletContainer container) {
            if (container.getClass().isAssignableFrom(TomcatEmbeddedServletContainerFactory.class)) {
                TomcatEmbeddedServletContainerFactory tomcatContainer = (TomcatEmbeddedServletContainerFactory) container;
                tomcatContainer.addContextCustomizers(new ContextSecurityCustomizer());
            }
        }
    };
}

private static class ContextSecurityCustomizer implements TomcatContextCustomizer {
    @Override
    public void customize(Context context) {
        SecurityConstraint constraint = new SecurityConstraint();
        SecurityCollection securityCollection = new SecurityCollection();
        securityCollection.setName("restricted_methods");
        securityCollection.addPattern("/*");
        securityCollection.addMethod(HttpMethod.DELETE.toString());
        constraint.addCollection(securityCollection);
        context.addConstraint(constraint);
    }
}

收效甚微。 EmbeddedServletContainerCustomizer bean 已创建,但我仍然可以发出 DELETE 请求。
有什么想法吗?

【问题讨论】:

    标签: java tomcat spring-boot


    【解决方案1】:
    //Restrict all method except GET & POST Spring boot
    @Configuration
    public class TomcatCustomizer implements EmbeddedServletContainerCustomizer {
    
        @Override
        public void customize(ConfigurableEmbeddedServletContainer container) {
            TomcatEmbeddedServletContainerFactory tomcat = (TomcatEmbeddedServletContainerFactory) container;
            tomcat.setSessionTimeout(8, TimeUnit.HOURS);
            tomcat.addContextCustomizers(new ContextSecurityCustomizer());
    
        }
        private static class ContextSecurityCustomizer implements TomcatContextCustomizer {
            @Override
            public void customize(Context context) {
                SecurityConstraint constraint = new SecurityConstraint();
                SecurityCollection securityCollection = new SecurityCollection();
                securityCollection.setName("restricted_methods");
                securityCollection.addPattern("/*");
                securityCollection.addOmittedMethod(HttpMethod.POST.toString());
                securityCollection.addOmittedMethod(HttpMethod.GET.toString());
                constraint.addCollection(securityCollection);
                constraint.setAuthConstraint(true);
                context.addConstraint(constraint);
            }
        }
    
    }
    

    【讨论】:

    • 虽然代码块可能提供快速解决方案,但将其分解并解释导致答案的部分会更有帮助。请添加可以教授解决方案结构的 cmets。
    【解决方案2】:

    当您忘记添加时会发生这种情况:

    constraint.setAuthConstraint(true);
    

    现在工作!

    【讨论】:

    • 你知道jetty中相当于tomcat吗?
    猜你喜欢
    • 2017-07-11
    • 1970-01-01
    • 2014-03-08
    • 1970-01-01
    • 1970-01-01
    • 2018-01-02
    • 2019-05-01
    • 2015-09-16
    • 2018-07-02
    相关资源
    最近更新 更多