springboot禁止内置Tomcat不安全的HTTP方法

参考：学习-Springboot禁止内置Tomcat不安全的HTTP方法_liutinghui989的博客-CSDN博客在此省略起因，过程，反正领导让研究咱就研究。代码：package com.yunan.framework.config;import org.apache.catalina.Context;import org.apache.catalina.connector.Connecto

她定有过人之处_cherish

1553人浏览 · 2021-12-02 15:15:40

她定有过人之处_cherish · 2021-12-02 15:15:40 发布

参考：

学习-Springboot禁止内置Tomcat不安全的HTTP方法_liutinghui989的博客-CSDN博客

在此省略起因，过程，反正领导让研究咱就研究。

代码：

package com.yunan.framework.config;

import org.apache.catalina.Context;
import org.apache.catalina.connector.Connector;
import org.apache.tomcat.util.descriptor.web.SecurityCollection;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
import org.springframework.boot.web.servlet.server.ServletWebServerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class HttpConfig {
   @Value("${http.port}")
   private int httpPort;

   @Bean
   public ServletWebServerFactory servletContainer() {
      //TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory();
      TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory() {
         @Override
         protected void postProcessContext(Context context) {
            SecurityConstraint constraint = new SecurityConstraint();
            constraint.setUserConstraint("CONFIDENTIAL");
            SecurityCollection collection = new SecurityCollection();
            collection.addPattern("/*");
            collection.addMethod("HEAD");
            collection.addMethod("PUT");
            collection.addMethod("PATCH");
            collection.addMethod("DELETE");
            collection.addMethod("OPTIONS");
            collection.addMethod("TRACE");
            collection.addMethod("COPY");
            collection.addMethod("SEARCH");
            collection.addMethod("PROPFIND");
            constraint.addCollection(collection);
            constraint.setAuthConstraint(true);
            context.addConstraint(constraint);
            context.setUseHttpOnly(true);
            constraint.addCollection(collection);
            context.addConstraint(constraint);
         }
      };
      tomcat.addAdditionalTomcatConnectors(new Connector[] { createStandardConnector() });
      tomcat.addConnectorCustomizers(connector -> {
         connector.setAllowTrace(true);
      });
      return tomcat;
   }

   private Connector createStandardConnector() {
      Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
      connector.setPort(this.httpPort);
      return connector;
   }
}

结果：用jmeter测试 options请求，（trace请求返回有点出入）