Spring boot 内置tomcat禁止不安全HTTP方法

Spring boot 内置tomcat禁止不安全HTTP方法

在tomcat的web.xml中可以配置如下内容,让tomcat禁止不安全的HTTP方法

<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>

Spring boot使用内置tomcat,没有web.xml配置文件,可以通过以下配置进行,简单来说就是要注入到Spring容器中

@Configuration
public class TomcatConfig { @Bean
public EmbeddedServletContainerFactory servletContainer() {
TomcatEmbeddedServletContainerFactory tomcatServletContainerFactory = new TomcatEmbeddedServletContainerFactory();
tomcatServletContainerFactory.addContextCustomizers(new TomcatContextCustomizer(){ @Override
public void customize(Context context) {
SecurityConstraint constraint = new SecurityConstraint();
SecurityCollection collection = new SecurityCollection();
//http方法
collection.addMethod("PUT");
collection.addMethod("DELETE");
collection.addMethod("HEAD");
collection.addMethod("OPTIONS");
collection.addMethod("TRACE");
//url匹配表达式
collection.addPattern("/*");
constraint.addCollection(collection);
constraint.setAuthConstraint(true);
context.addConstraint(constraint ); //设置使用httpOnly
context.setUseHttpOnly(true); }
});
return tomcatServletContainerFactory;
} }
上一篇:apache shiro内置过滤器 标签 注解


下一篇:Spring Security(2):过滤器链(filter chain)的介绍