(1). 首先打开cmd命令行窗口,
(2). 输入 telnet xxx.xxx.xx.xx 8080 (你的 ip + port),回车一次
(3). 输入 Ctrl + ] , 回车一次,
(4). 输入 TRACE / HTTP/1.0 , 回车一次,
(5). 输入 X-Test: abcde , 回车两次然后看输出结果
- 返回就是405 Method not Allowed, 说明TRACE方法已经关闭,
- 如果返回是200 OK,说明需要手动关闭。
解决方法:
3. 在tomcat的web.xml配置文件中加入:
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>
在springboot中,使用了自带的tomcat,则需要加入一个配置类:
@Configuration public class TomcatConfig { @Bean public TomcatServletWebServerFactory servletContainer() { TomcatServletWebServerFactory tomcatServletContainerFactory = new TomcatServletWebServerFactory() { @Override protected void postProcessContext(Context context) { SecurityConstraint constraint = new SecurityConstraint(); constraint.setUserConstraint("CONFIDENTIAL"); SecurityCollection collection = new SecurityCollection(); collection.addPattern("/*"); collection.addPattern("/ywyydsj/*"); collection.addMethod("HEAD"); collection.addMethod("PUT"); collection.addMethod("PATCH"); collection.addMethod("DELETE"); collection.addMethod("OPTIONS"); collection.addMethod("TRACE"); collection.addMethod("COPY"); collection.addMethod("SEARCH"); collection.addMethod("PROPFIND"); constraint.addCollection(collection); constraint.setAuthConstraint(true); context.addConstraint(constraint); context.setUseHttpOnly(true); constraint.addCollection(collection); context.addConstraint(constraint); } }; tomcatServletContainerFactory.addConnectorCustomizers(connector -> { connector.setAllowTrace(true); }); return tomcatServletContainerFactory; } }也可以加入一个filter类过滤掉不合法的请求方法:
import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.springframework.stereotype.Component; @Component public class HttpMethodFilter implements Filter{ @Override public void init(FilterConfig filterConfig) throws ServletException { } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse res = ((HttpServletResponse) response); String method=req.getMethod(); if("TRACE".equals(method)||"TRACK".equals(method)){ res.setHeader("Allow", "HEAD, DELETE, POST, GET, OPTIONS, PUT"); res.setStatus(405); return; } chain.doFilter(req, res); } @Override public void destroy() { // TODO Auto-generated method stub }}
版权声明:本文为weixin_36723134原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接和本声明。