Mic*_* N. 6 spring trace http jetty embedded-jetty
我正在尝试在嵌入式 Jetty 中禁用 HTTP TRACE 方法。在 Jetty 文档的信息中,HTTP 跟踪在默认情况下是禁用的,但对于嵌入式,它仍处于启用状态。我试图禁用跟踪作为安全约束,就像在 jetty.xml 中所做的那样。
ServletContextHandler servletHandler = new ServletContextHandler(ServletContextHandler.SESSIONS | ServletContextHandler.SECURITY);
servletHandler.setClassLoader(Server.class.getClassLoader());
servletHandler.setContextPath("/");
servletHandler.addEventListener(new ContextLoaderListener());
servletHandler.addServlet(new ServletHolder(new CXFServlet()), "/*");
servletHandler.setInitParameter("contextClass", AnnotationConfigWebApplicationContext.class.getName());
servletHandler.setInitParameter("contextConfigLocation", BeansConfig.class.getName());
servletHandler.setInitParameter("javax.ws.rs.Application", DispatcherConfig.class.getName());
/*
* <security-constraint>
* <web-resource-collection>
* <web-resource-name>Disable TRACE</web-resource-name>
* <url-pattern>/</url-pattern>
* <http-method>TRACE</http-method>
* </web-resource-collection>
* <auth-constraint/>
* </security-constraint>
*/
Constraint constraint = new Constraint();
constraint.setName("Disable TRACE");
ConstraintMapping mapping = new ConstraintMapping();
mapping.setConstraint(constraint);
mapping.setMethod("TRACE");
mapping.setPathSpec("/"); // this did not work same this mapping.setPathSpec("/*");
ConstraintSecurityHandler securityHandler = (ConstraintSecurityHandler) servletHandler.getSecurityHandler();
securityHandler.addConstraintMapping(mapping);
soapUI 的输出示例:
HTTP/1.1 200 OK
Content-Type: message/http
Content-Length: 143
Server: Jetty(9.0.6.v20130930)
TRACE / HTTP/1.1
Connection: keep-alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Host: 192.168.33.115
Accept-Encoding: gzip,deflate
小智 7
扩展 Server 类并覆盖 handle() 方法对我来说效果最好。
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletResponse;
import org.eclipse.jetty.server.HttpChannel;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.Response;
import org.eclipse.jetty.server.Server;
public class MyServer extends Server {
@Override
public void handle(HttpChannel<?> connection) throws IOException, ServletException {
Request request=connection.getRequest();
Response response=connection.getResponse();
if ("TRACE".equals(request.getMethod())){
request.setHandled(true);
response.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
} else {
super.handle(connection);
}
}
}
在您的Constraint对象上,您需要调用setAuthenticate(true),并确保您不调用setRoles(String[])。这使得它相当于<security-constraint>带有空的 a <auth-constraint>,它禁止访问。
DefaultServlet它与 the 一起使用而不是 the 的原因CXFServlet是因为 theDefaultServlet明确拒绝访问 TRACE 方法。
| 归档时间: |
|
| 查看次数: |
10937 次 |
| 最近记录: |