Disabling PUT TRACE DELETE request in Apache Tomcat 6.0

非 Y 不嫁゛ 提交于 2019-11-29 02:01:34
James Schek

Inside your WEBINF, add you can add a security constraint:

<security-constraint>
     <web-resource-collection>
          <web-resource-name>Forbidden</web-resource-name>
          <url-pattern>/blah/*</url-pattern>
          <http-method>PUT</http-method>
          <http-method>DELETE</http-method>
          <http-method>TRACE</http-method>
     </web-resource-collection>
     <auth-constraint>
          <role-name>empty_role</role-name>
     </auth-constraint>
</security-constraint>

Alternatively, you can do these two things:

In server.xml, edit the <connector> element, add an attribute: allowTrace="false". Then edit the DefaultServlet: $CATALINA_HOME/conf/web.xml

<servlet>
    <servlet-name>default</servlet-name>
    <servlet-class>
        org.apache.catalina.servlets.DefaultServlet
    </servlet-class>
    <!-- blah blah blah -->
    <init-param>
        <param-name>readonly</param-name>
        <param-value>true</param-value>
    </init-param>
</servlet>

The answer lies in the servlet specification. In looking at the API for the servlet: http://java.sun.com/products/servlet/2.5/docs/servlet-2_5-mr2/javax/servlet/http/HttpServlet.html you'll see that different methods handle different kind of HTTP requests. Also, there is a great feature called filters that can be used to wrap some code around servlets and filters.

So the solutions are:

  • Modify the servlet to only support do and get; or
  • Create a filter to clear those other kind of requests.
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!