spring-boot禁用HTTP方法

时间:2016-02-01 15:13:22

标签: java tomcat spring-boot

对于Tomcat,禁用某些HTTP方法相当容易。只需添加到web.xml:

    <security-constraint>
    <web-resource-collection>
        <web-resource-name>restricted methods</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>PUT</http-method>
        <http-method>DELETE</http-method>
        <http-method>HEAD</http-method>
        <http-method>OPTIONS</http-method>
        <http-method>TRACE</http-method>
    </web-resource-collection>
    <auth-constraint/>
</security-constraint>

我如何在spring-boot中做同样的事情?
我尝试添加以下内容:

@Bean
public EmbeddedServletContainerCustomizer containerCustomizer() {
    return new EmbeddedServletContainerCustomizer() {
        @Override
        public void customize(ConfigurableEmbeddedServletContainer container) {
            if (container.getClass().isAssignableFrom(TomcatEmbeddedServletContainerFactory.class)) {
                TomcatEmbeddedServletContainerFactory tomcatContainer = (TomcatEmbeddedServletContainerFactory) container;
                tomcatContainer.addContextCustomizers(new ContextSecurityCustomizer());
            }
        }
    };
}

private static class ContextSecurityCustomizer implements TomcatContextCustomizer {
    @Override
    public void customize(Context context) {
        SecurityConstraint constraint = new SecurityConstraint();
        SecurityCollection securityCollection = new SecurityCollection();
        securityCollection.setName("restricted_methods");
        securityCollection.addPattern("/*");
        securityCollection.addMethod(HttpMethod.DELETE.toString());
        constraint.addCollection(securityCollection);
        context.addConstraint(constraint);
    }
}

收效甚微。创建了EmbeddedServletContainerCustomizer bean,但我仍然可以发出DELETE请求。
有什么想法吗?

2 个答案:

答案 0 :(得分:1)

当您忘记添加时会发生这种情况:

constraint.setAuthConstraint(true);

立即行动!

答案 1 :(得分:1)

//Restrict all method except GET & POST Spring boot
@Configuration
public class TomcatCustomizer implements EmbeddedServletContainerCustomizer {

    @Override
    public void customize(ConfigurableEmbeddedServletContainer container) {
        TomcatEmbeddedServletContainerFactory tomcat = (TomcatEmbeddedServletContainerFactory) container;
        tomcat.setSessionTimeout(8, TimeUnit.HOURS);
        tomcat.addContextCustomizers(new ContextSecurityCustomizer());

    }
    private static class ContextSecurityCustomizer implements TomcatContextCustomizer {
        @Override
        public void customize(Context context) {
            SecurityConstraint constraint = new SecurityConstraint();
            SecurityCollection securityCollection = new SecurityCollection();
            securityCollection.setName("restricted_methods");
            securityCollection.addPattern("/*");
            securityCollection.addOmittedMethod(HttpMethod.POST.toString());
            securityCollection.addOmittedMethod(HttpMethod.GET.toString());
            constraint.addCollection(securityCollection);
            constraint.setAuthConstraint(true);
            context.addConstraint(constraint);
        }
    }

}
相关问题
最新问题