微服务

spring boot使用内嵌的tomcat解决不安全的HTTP

2018-05-02  本文已影响1137人  爱的旋转体

一:传统Web项目的解决方案:
在tomcat的web.xml配置文件中,对不安全的方法进行拦截:

<security-constraint>  
            <web-resource-collection>  
                <url-pattern>/*</url-pattern>  
                <http-method>HEAD</http-method>  
                <http-method>PUT</http-method>  
                <http-method>DELETE</http-method>  
                <http-method>OPTIONS</http-method>  
                <http-method>TRACE</http-method>  
                <http-method>COPY</http-method>  
                <http-method>SEARCH</http-method>  
                <http-method>PROPFIND</http-method>  
            </web-resource-collection>  
            <auth-constraint>  
            </auth-constraint>  
</security-constraint>  

如果需要禁用TRACE请求,还需要修改tomcat的server.xml配置文件(在server.xml中先允许TRACE请求,再在web.xml中禁用TRACE):

<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" allowTrace="true"
               redirectPort="8443" />

二:spring boot的解决方案:
1.众所周知,spring boot的容器是内嵌的,是没有web.xml给我们配置的,所有的配置都是在properties文件中进行配置的,所以我们的思路也是在properties文件中增加tomcat的相关配置。

#解决不安全的HTTP方法漏洞  
server.tomcat.port-header=HEAD,PUT,DELETE,OPTIONS,TRACE,COPY,SEARCH,PROPFIND  

2.代码的方式增加tomcat的配置(本人测试上面配置文件方式不生效,这种方式可以,如有不同看法请留言),代码如下:

package com.xzp;

import org.apache.catalina.Context;
import org.apache.tomcat.util.descriptor.web.SecurityCollection;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.autoconfigure.session.SessionAutoConfiguration;
import org.springframework.boot.context.embedded.EmbeddedServletContainerFactory;
import org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainerFactory;
import org.springframework.cloud.client.circuitbreaker.EnableCircuitBreaker;
import org.springframework.cloud.netflix.feign.EnableFeignClients;
import org.springframework.cloud.netflix.zuul.EnableZuulProxy;
import org.springframework.context.annotation.Bean;

@SpringBootApplication(exclude = { SessionAutoConfiguration.class })
@EnableZuulProxy
public class ApiGatewayServerApplictation {

    public static void main(String[] args) {
        SpringApplication.run(ApiGatewayServerApplictation.class, args);
    }
    //主要是以下代码:
    @Bean  
    public EmbeddedServletContainerFactory servletContainer() {  
        TomcatEmbeddedServletContainerFactory tomcat = new TomcatEmbeddedServletContainerFactory() {// 1  
            protected void postProcessContext(Context context) {  
                SecurityConstraint securityConstraint = new SecurityConstraint();  
                securityConstraint.setUserConstraint("CONFIDENTIAL");  
                SecurityCollection collection = new SecurityCollection();  
                collection.addPattern("/*");  
                collection.addMethod("HEAD");  
                collection.addMethod("PUT");  
                collection.addMethod("DELETE");  
                collection.addMethod("OPTIONS");  
                collection.addMethod("TRACE");  
                collection.addMethod("COPY");  
                collection.addMethod("SEARCH");  
                collection.addMethod("PROPFIND");  
                securityConstraint.addCollection(collection);  
                context.addConstraint(securityConstraint);  
            }  
        };  
        //如果需要禁用TRACE请求,需添加以下代码:
        tomcat.addConnectorCustomizers(connector -> {
            connector.setAllowTrace(true);
        });
        return tomcat;  
    }  

}

上一篇下一篇

猜你喜欢

热点阅读