springboot2禁止内置Tomcat不安全的HTTP方法

多云几多

于 2023-02-20 15:23:56 发布

阅读量447

点赞数

CC 4.0 BY-SA版权

分类专栏： spring boot 文章标签： java spring

本文链接：https://blog.youkuaiyun.com/Leisurelyc/article/details/129125171

spring boot 专栏收录该内容

8 篇文章

订阅专栏

该代码示例展示了在SpringBoot应用中如何配置TomcatServletWebServerFactory，添加安全约束以限制对特定HTTP方法的访问，如PUT、DELETE等，并启用TRACE方法。同时，设置使用HTTPOnlycookie并控制访问路径。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

@Configuration
public class TomcatConfig {
	@Bean
    public TomcatServletWebServerFactory servletContainer() {
        TomcatServletWebServerFactory tomcatServletContainerFactory = new TomcatServletWebServerFactory() {
            @Override
            protected void postProcessContext(Context context) {
                SecurityConstraint constraint = new SecurityConstraint();
                constraint.setUserConstraint("CONFIDENTIAL");
                SecurityCollection collection = new SecurityCollection();
                collection.addPattern("/*");
                collection.addPattern("/ywyydsj/*");
                collection.addMethod("HEAD");
                collection.addMethod("PUT");
                collection.addMethod("PATCH");
                collection.addMethod("DELETE");
                collection.addMethod("OPTIONS");
                collection.addMethod("TRACE");
                collection.addMethod("COPY");
                collection.addMethod("SEARCH");
                collection.addMethod("PROPFIND");
                constraint.addCollection(collection);
                constraint.setAuthConstraint(true);
                context.addConstraint(constraint);
                context.setUseHttpOnly(true);
                constraint.addCollection(collection);
                context.addConstraint(constraint);
            }
        };
        tomcatServletContainerFactory.addConnectorCustomizers(connector -> {
            connector.setAllowTrace(true);
        });
        return tomcatServletContainerFactory;
    }
}