远端WWW服务支持TRACE请求

TOMCAT

• 在tomcat的web.xml配置文件中，对不安全的方法进行拦截，禁用TRACE，HEAD，PUT，DELETE，OPTIONS请求方式：

<security-constraint>  
   <web-resource-collection>  
      <url-pattern>/*</url-pattern>  
      <http-method>PUT</http-method>  
	  <http-method>DELETE</http-method>  
	  <http-method>HEAD</http-method>  
	  <http-method>OPTIONS</http-method>  
	  <http-method>TRACE</http-method>  
   </web-resource-collection>  
   <auth-constraint>  
   </auth-constraint>  
</security-constraint>  

• 在tomcat的在server.xml中先允许TRACE请求，再在web.xml中禁用TRACE，以此禁用TRACE请求(广大网友都是这样实现的，不明白ing)

<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" allowTrace="true"
               redirectPort="8443" />

SpringBoot

• TomcatConfig.java

import org.apache.catalina.Context;
import org.apache.tomcat.util.descriptor.web.SecurityCollection;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.springframework.boot.context.embedded.EmbeddedServletContainerFactory;
import org.springframework.boot.context.embedded.tomcat.TomcatContextCustomizer;
import org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class TomcatConfig {
	
	@Bean
    public EmbeddedServletContainerFactory servletContainer() {
        TomcatEmbeddedServletContainerFactory tomcatServletContainerFactory = new TomcatEmbeddedServletContainerFactory();
        tomcatServletContainerFactory.addContextCustomizers(new TomcatContextCustomizer(){
			@Override
			public void customize(Context context) {
				SecurityConstraint securityConstraint  = new SecurityConstraint();
				securityConstraint.setUserConstraint("CONFIDENTIAL");  
				SecurityCollection collection = new SecurityCollection();
				
				collection.addPattern("/*");  
                collection.addMethod("HEAD");  
                collection.addMethod("PUT");  
                collection.addMethod("DELETE");  
                collection.addMethod("OPTIONS");  
                collection.addMethod("TRACE");  
                collection.addMethod("COPY");  
                collection.addMethod("SEARCH");  
                collection.addMethod("PROPFIND");  
                securityConstraint .addCollection(collection);  
                context.addConstraint(securityConstraint );  
			}
        });
        
        //禁用TRACE请求
        tomcatServletContainerFactory.addConnectorCustomizers(connector -> {
            connector.setAllowTrace(true);
        });
        return tomcatServletContainerFactory;
    }
}

.end