我试图使用web.xml安全约束元素阻止未使用的http方法(OPTIONS,TRACE,DELETE)。但是它阻止了所有现有资源并投入了302响应。
我的web.xml如下所示。
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<display-name>eServices</display-name>
<filter>
<filter-name>sessionvalidator</filter-name>
<filter-class>util.SessionFilter</filter-class>
<init-param>
<param-name>avoid-urls</param-name>
<param-value>/index.jsp</param-value>
</init-param>
</filter>
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
</filter>
<filter-mapping>
<filter-name>sessionvalidator</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<session-config>
<session-timeout>120</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<taglib>
<taglib-uri>/dateFormat</taglib-uri>
<taglib-location>/WEB-INF/tlds/customfunctions.tld</taglib-location>
</taglib>
<security-constraint>
<display-name>Restricted</display-name>
<web-resource-collection>
<web-resource-name>restrictAccess</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
</web-app>
这会阻止所有GET请求。最初我试图添加GET,PUT,POST仅接受请求,后来几乎尝试了所有方法。
<security-constraint>
<display-name>Restricted</display-name>
<web-resource-collection>
<web-resource-name>restrictAccess</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
</web-resource-collection>
</security-constraint>
仅供参考,我没有使用任何角色和身份验证。