如果我们不需要在我们的应用程序中使用它,安全部门会要求我们禁止DELETE和其他一些http请求方法。在SpringMVC我可以在security-constraint中添加web.xml,如下所示:
<security-constraint>
<display-name>delete-method</display-name>
<web-resource-collection>
<web-resource-name>unsafe-method</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint/>
但我不知道如何添加Springboot。服务器为tomcat8.x并在CentOS上运行。
答案 0 :(得分:1)
您可以使用CORS过滤器。您可以在那里指定允许的HTTP请求类型。
来自the Spring docs的示例:
<mvc:cors>
<mvc:mapping path="/api/**"
allowed-origins="http://domain1.com, http://domain2.com"
allowed-methods="GET, PUT"
allowed-headers="header1, header2, header3"
exposed-headers="header1, header2" allow-credentials="false"
max-age="123" />
<mvc:mapping path="/resources/**"
allowed-origins="http://domain1.com" />
</mvc:cors>
或
您可以使用Java。
@Component
public class CorsFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, OPTIONS");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "authorization, content-type, xsrf-token");
response.addHeader("Access-Control-Expose-Headers", "xsrf-token");
if ("OPTIONS".equals(request.getMethod())) {
response.setStatus(HttpServletResponse.SC_OK);
} else {
filterChain.doFilter(request, response);
}
}
}