事件起因
前几天项目被扫描出一个漏洞,漏洞描述是这样的:
说是启用了不安全的HTTP方法,客户要求修复,所以修改了配置,只保留项目的GET和POST请求
项目信息
- jdk8
- SSM框架
- tomcat8.5
配置方法
web.xml中添加如下代码即可
<!-- 只允许GET和POST的请求 -->
<security-constraint>
<web-resource-collection>
<web-resource-name/>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>PATCH</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
注意auth-constraint不能省,省了不会生效。