使用 spring 引导在 undertow 中禁用 http TRACK/TRACE
Disable http TRACK/TRACE in undertow using spring boot
我想在 undertow 中禁用 http TRACE。我正在使用 spring 引导,默认情况下会提供 undertow。我已排除 tomcat 并使用 undertow。我在其他 Whosebug post (here) 中得到了 tomcat 的答案,但我无法为 undertow 找到相同的答案。这就是我到目前为止所做的。
@Bean
public EmbeddedServletContainerCustomizer containerCustomizer() {
return new EmbeddedServletContainerCustomizer() {
@Override
public void customize(ConfigurableEmbeddedServletContainer container) {
if (container.getClass().isAssignableFrom(UndertowEmbeddedServletContainerFactory.class)) {
UndertowEmbeddedServletContainerFactory underTowContainer = (UndertowEmbeddedServletContainerFactory) container;
underTowContainer.addDeploymentInfoCustomizers(new ContextSecurityCustomizer());
}
}
};
}
private static class ContextSecurityCustomizer implements UndertowDeploymentInfoCustomizer {
@Override
public void customize(DeploymentInfo deploymentInfo) {
DeploymentInfo info = new DeploymentInfo();
// What next after this
}
}
请帮我完成这段代码。我什至在朝着正确的方向前进吗?提前致谢
这应该适用于 undertow:
@Bean
public EmbeddedServletContainerCustomizer containerCustomizer() {
return new EmbeddedServletContainerCustomizer() {
@Override
public void customize(ConfigurableEmbeddedServletContainer container) {
if (container.getClass().isAssignableFrom(UndertowEmbeddedServletContainerFactory.class)) {
UndertowEmbeddedServletContainerFactory undertowContainer = (UndertowEmbeddedServletContainerFactory) container;
undertowContainer.addDeploymentInfoCustomizers(new ContextSecurityCustomizer());
}
}
};
}
private static class ContextSecurityCustomizer implements UndertowDeploymentInfoCustomizer {
@Override
public void customize(io.undertow.servlet.api.DeploymentInfo deploymentInfo) {
SecurityConstraint constraint = new SecurityConstraint();
WebResourceCollection traceWebresource = new WebResourceCollection();
traceWebresource.addUrlPattern("/*");
traceWebresource.addHttpMethod(HttpMethod.TRACE.toString());
constraint.addWebResourceCollection(traceWebresource);
deploymentInfo.addSecurityConstraint(constraint);
}
}
您可以使用来自 undertow 的 DisallowedMethodsHandler
:
import io.undertow.server.handlers.DisallowedMethodsHandler;
@Component
public class UndertowWebServerCustomizer
implements WebServerFactoryCustomizer<UndertowServletWebServerFactory> {
@Override
public void customize(UndertowServletWebServerFactory factory) {
factory.addDeploymentInfoCustomizers(deploymentInfo -> {
deploymentInfo.addInitialHandlerChainWrapper(new HandlerWrapper() {
@Override
public HttpHandler wrap(HttpHandler handler) {
HttpString[] disallowedHttpMethods = { HttpString.tryFromString("TRACE"),
HttpString.tryFromString("TRACK") };
return new DisallowedMethodsHandler(handler, disallowedHttpMethods);
}
});
});
}
}
我想在 undertow 中禁用 http TRACE。我正在使用 spring 引导,默认情况下会提供 undertow。我已排除 tomcat 并使用 undertow。我在其他 Whosebug post (here) 中得到了 tomcat 的答案,但我无法为 undertow 找到相同的答案。这就是我到目前为止所做的。
@Bean
public EmbeddedServletContainerCustomizer containerCustomizer() {
return new EmbeddedServletContainerCustomizer() {
@Override
public void customize(ConfigurableEmbeddedServletContainer container) {
if (container.getClass().isAssignableFrom(UndertowEmbeddedServletContainerFactory.class)) {
UndertowEmbeddedServletContainerFactory underTowContainer = (UndertowEmbeddedServletContainerFactory) container;
underTowContainer.addDeploymentInfoCustomizers(new ContextSecurityCustomizer());
}
}
};
}
private static class ContextSecurityCustomizer implements UndertowDeploymentInfoCustomizer {
@Override
public void customize(DeploymentInfo deploymentInfo) {
DeploymentInfo info = new DeploymentInfo();
// What next after this
}
}
请帮我完成这段代码。我什至在朝着正确的方向前进吗?提前致谢
这应该适用于 undertow:
@Bean
public EmbeddedServletContainerCustomizer containerCustomizer() {
return new EmbeddedServletContainerCustomizer() {
@Override
public void customize(ConfigurableEmbeddedServletContainer container) {
if (container.getClass().isAssignableFrom(UndertowEmbeddedServletContainerFactory.class)) {
UndertowEmbeddedServletContainerFactory undertowContainer = (UndertowEmbeddedServletContainerFactory) container;
undertowContainer.addDeploymentInfoCustomizers(new ContextSecurityCustomizer());
}
}
};
}
private static class ContextSecurityCustomizer implements UndertowDeploymentInfoCustomizer {
@Override
public void customize(io.undertow.servlet.api.DeploymentInfo deploymentInfo) {
SecurityConstraint constraint = new SecurityConstraint();
WebResourceCollection traceWebresource = new WebResourceCollection();
traceWebresource.addUrlPattern("/*");
traceWebresource.addHttpMethod(HttpMethod.TRACE.toString());
constraint.addWebResourceCollection(traceWebresource);
deploymentInfo.addSecurityConstraint(constraint);
}
}
您可以使用来自 undertow 的 DisallowedMethodsHandler
:
import io.undertow.server.handlers.DisallowedMethodsHandler;
@Component
public class UndertowWebServerCustomizer
implements WebServerFactoryCustomizer<UndertowServletWebServerFactory> {
@Override
public void customize(UndertowServletWebServerFactory factory) {
factory.addDeploymentInfoCustomizers(deploymentInfo -> {
deploymentInfo.addInitialHandlerChainWrapper(new HandlerWrapper() {
@Override
public HttpHandler wrap(HttpHandler handler) {
HttpString[] disallowedHttpMethods = { HttpString.tryFromString("TRACE"),
HttpString.tryFromString("TRACK") };
return new DisallowedMethodsHandler(handler, disallowedHttpMethods);
}
});
});
}
}