我的目标是不允许安全测试建议的OPTIONS, PUT, DELETE HTTP方法。
INTRO
我有一个弹簧应用程序。我确实嵌入了弹簧安全性。
TRY-1
我尝试在web.xml ref中添加<security-constraint> - http://www.techstacks.com/howto/disable-http-methods-in-tomcat.html
这是有效的,但它提供了无效的Response标头。
RESPONSE
> Status : 403
> Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS
如上所述,不应返回Allow响应标头。
TRY-2
所以我尝试添加HandlerInterceptor
public class HTTPMethodInterceptor implements HandlerInterceptor {
@Override
public boolean preHandle(HttpServletRequest request,HttpServletResponse response, Object handler) throws Exception {
if (request.getMethod().equalsIgnoreCase("options") ||
request.getMethod().equalsIgnoreCase("put")||
request.getMethod().equalsIgnoreCase("delete")) {
response.sendError(HttpServletResponse.SC_FORBIDDEN, "Unauthorized Request");
return false;
}
return true;
}
@Override
public void afterCompletion(HttpServletRequest arg0,
HttpServletResponse arg1, Object arg2, Exception arg3)
throws Exception {
}
@Override
public void postHandle(HttpServletRequest arg0, HttpServletResponse arg1,
Object arg2, ModelAndView arg3) throws Exception {
}
}
修改
通过
在springConfig中注册<mvc:interceptors>
<bean class="com.HTTPMethodInterceptor" />
</mvc:interceptors>
这个preHandle正在为“GET”和“POST”方法工作。但它不适用于该方法的其余部分。
如果我的理解是错误的,请纠正我。请原谅我是否重复。
答案 0 :(得分:0)
我使用CSRF请求匹配器来做这个技巧,它运行得很好。
按如下方式创建请求匹配器
public class SecurityRequestMatcher implements org.springframework.security.web.util.matcher.RequestMatcher {
public static final String OPTIONS = "options";
public static final String DELETE = "delete";
public static final String PUT = "PUT";
@Override
public boolean matches(HttpServletRequest request) {
if (request.getMethod().equalsIgnoreCase(OPTIONS) ||
request.getMethod().equalsIgnoreCase(DELETE)||
request.getMethod().equalsIgnoreCase(PUT)) {
return true;
}
return false;
}
}
Spring config as
<bean id="securityRequestMatcher"
class="com.SecurityRequestMatcher"/>
<security:http>
<security:csrf request-matcher-ref="securityRequestMatcher"/>
</security:http>
和宾果:D