本問題核心原因是http協議升級,因為網絡安全問題日益嚴峻,RFC組織決定將RFC2616拆分並進行升級。
RFC2616拆分后:
- RFC7230 - HTTP/1.1: Message Syntax and Routing - low-level message parsing and connection management
- RFC7231 - HTTP/1.1: Semantics and Content - methods, status codes and headers
- RFC7232 - HTTP/1.1: Conditional Requests - e.g., If-Modified-Since
- RFC7233 - HTTP/1.1: Range Requests - getting partial content
- RFC7234 - HTTP/1.1: Caching - browser and intermediary caches
- RFC7235 - HTTP/1.1: Authentication - a framework for HTTP authentication
今天出現問題的主角也和上面有關,還涉及一個協議
RFC 3986 - Uniform Resource Identifier (URI): Generic Syntax
因為防止sql注入,新RFC將|視為非法路徑符號。
解決方法如下:
undertow RFC 7230 and RFC 3986 compatibility
代碼
@Bean public ConfigurableServletWebServerFactory webServerFactory() { UndertowServletWebServerFactory factory =new UndertowServletWebServerFactory(); factory.addBuilderCustomizers(builder -> builder.setServerOption(UndertowOptions.ALLOW_UNESCAPED_CHARACTERS_IN_URL, Boolean.TRUE)); //url配置 factory.addBuilderCustomizers(builder -> builder.setServerOption(UndertowOptions.ALLOW_EQUALS_IN_COOKIE_VALUE, Boolean.TRUE)); factory.addBuilderCustomizers(builder -> builder.setServerOption(UndertowOptions.ALLOW_ENCODED_SLASH,Boolean.TRUE)); return factory; }
參考資料:https://my.oschina.net/qinerg/blog/3122953
Tomcat解決辦法:
@Bean public ConfigurableServletWebServerFactory webServerFactory() { TomcatServletWebServerFactory factory = new TomcatServletWebServerFactory(); factory.addConnectorCustomizers(new TomcatConnectorCustomizer() { @Override public void customize(Connector connector) { connector.setProperty("relaxedQueryChars", "|{}[]"); } }); return factory; }
參考:https://stackoverflow.com/questions/46251131/invalid-character-found-in-the-request-target-in-spring-boot