遠端WWW服務支持TRACE請求

本文轉載自查看原文 2020-08-03 22:25 918 TRACE/ Safety

在這里插入圖片描述

TOMCAT

在tomcat的web.xml配置文件中，對不安全的方法進行攔截，禁用TRACE，HEAD，PUT，DELETE，OPTIONS請求方式：

<security-constraint>  
   <web-resource-collection>  
      <url-pattern>/*</url-pattern>  
      <http-method>PUT</http-method>  
	  <http-method>DELETE</http-method>  
	  <http-method>HEAD</http-method>  
	  <http-method>OPTIONS</http-method>  
	  <http-method>TRACE</http-method>  
   </web-resource-collection>  
   <auth-constraint>  
   </auth-constraint>  
</security-constraint>

在tomcat的在server.xml中先允許TRACE請求，再在web.xml中禁用TRACE，以此禁用TRACE請求(廣大網友都是這樣實現的，不明白ing)

<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" allowTrace="true"
               redirectPort="8443" />

SpringBoot

TomcatConfig.java

import org.apache.catalina.Context;
import org.apache.tomcat.util.descriptor.web.SecurityCollection;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.springframework.boot.context.embedded.EmbeddedServletContainerFactory;
import org.springframework.boot.context.embedded.tomcat.TomcatContextCustomizer;
import org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class TomcatConfig {
	
	@Bean
    public EmbeddedServletContainerFactory servletContainer() {
        TomcatEmbeddedServletContainerFactory tomcatServletContainerFactory = new TomcatEmbeddedServletContainerFactory();
        tomcatServletContainerFactory.addContextCustomizers(new TomcatContextCustomizer(){
			@Override
			public void customize(Context context) {
				SecurityConstraint securityConstraint  = new SecurityConstraint();
				securityConstraint.setUserConstraint("CONFIDENTIAL");  
				SecurityCollection collection = new SecurityCollection();
				
				collection.addPattern("/*");  
                collection.addMethod("HEAD");  
                collection.addMethod("PUT");  
                collection.addMethod("DELETE");  
                collection.addMethod("OPTIONS");  
                collection.addMethod("TRACE");  
                collection.addMethod("COPY");  
                collection.addMethod("SEARCH");  
                collection.addMethod("PROPFIND");  
                securityConstraint .addCollection(collection);  
                context.addConstraint(securityConstraint );  
			}
        });
        
        //禁用TRACE請求
        tomcatServletContainerFactory.addConnectorCustomizers(connector -> {
            connector.setAllowTrace(true);
        });
        return tomcatServletContainerFactory;
    }
}

.end

免責聲明！

本站轉載的文章為個人學習借鑒使用，本站對版權不負任何法律責任。如果侵犯了您的隱私權益，請聯系本站郵箱yoyou2525@163.com刪除。

猜您在找 遠端WWW服務支持TRACE請求漏洞修復【遠端WWW服務支持TRACE請求】 "遠端www服務支持TRACE請求"驗證及修復(apache,Jetty,Tomcat) 漏洞挖掘 | 遠程WWW服務支持TRACE請求 Apache支持TRACE請求漏洞處理方案 trace與代碼跟蹤服務 TRACE請求引起的反射型XSS漏洞 HTTP與WWW服務在服務器上搭建遠端git倉庫 JAVA執行遠端服務器的腳本