Spring 框架:HTTP OPTIONS 返回所有方法(获取、放置、发布、删除、跟踪、头部、选项) [英] Spring framework: HTTP OPTIONS returning all METHODS (get, put, post, delete, trace, head, options)

问题描述

我写了一个spring web应用程序.除了一件事之外，非常坚固.应用程序返回一个 HTTP OPTIONS 请求，其响应为允许:GET、HEAD、POST、PUT、DELETE、OPTIONS"，但这不是真的，只允许 GET 和 POST.其他操作(GET 和 POST 除外)返回操作不受支持"错误 405 以及服务器名称和版本...等.安全团队不喜欢服务器的所有详细信息都返回不支持"错误消息.

I wrote a spring web application. Pretty solid except for one thing. The application returns an HTTP OPTIONS request with response that is "Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS" but that's not true, only GET and POST are allowed. The others operations, (other than GET and POST) are returning "operation not supported" error 405 and server name and version...etc. The security team didn't like the fact that all details of the server are returned with the "Not supported" error message.

我花了很多时间试图覆盖该错误页面或为 405 引入自定义错误页面......但我没有成功.我花了一整天的时间试图禁用 HTTP 选项.没有成功.还有一个细节，我运行 curl 语句来测试:

I spent a lot of time trying to override that error page or introduce a custom error page for 405... but I was not successful. And I spent my whole day trying to disable the HTTP OPTIONS. Without success. Just one more detail, I run curl statements to test:

curl "http://localhost:8080/webappX/welcome.htm" -X PUT -v

然后我的应用返回:

HTTP Status 405 - Request method 'PUT' not supported
Tomcat/6.0...etc 

由于这些数据(tomcat 版本、服务器信息和响应元数据)可能用于安全攻击，我如何创建一个自定义 405 页面来隐藏我的服务器的详细信息并提供一个非常小的错误页面?或者我如何禁用 PUT、DELETE、TRACE、OPTIONS、HEAD，以便 tomcat 可能会忽略它们或不提供有关我的服务器的内部信息.

Since this data (tomcat version, server info, and response metadata) might be used for security attacks, how can I create a custom 405 page that hides details of my server and gives a very minimal error page? Or how can I disable PUT, DELETE, TRACE, OPTIONS, HEAD so tomcat might just ignore them or not provide an internal information about my server.

谢谢

推荐答案

您可以注册并使用 Interceptor 来捕获对应用程序的所有请求，如果该方法不是 GET/POST，只需重定向到您选择的错误页面/发送错误响应即可.

You can register and use an Interceptor that will catch all the requests to the app, if the method is other than GET/POST, simply redirect to an error page of your choosing / send an error response.

public class MyInterceptor extends HandlerInterceptorAdapter{

    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {

        if (!request.getMethod().equalsIgnoreCase("POST") && !request.getMethod().equalsIgnoreCase("GET")) {
            // Not a POST/GET - send error and return false
            response.sendError(HttpServletResponse.SC_FORBIDDEN, "Unauthorized Request");
            return false;
        } else {
            return true;
        }
    }


}

注册拦截器，把这个添加到你的spring xml配置文件中

to register the interceptor, add this to your spring xml configuration file

<mvc:interceptors>
<mvc:interceptor>
    <mvc:mapping path="/**" />
    <bean class="your.package.MyInterceptor" />
</mvc:interceptor>
</mvc:interceptors>

这篇关于Spring 框架:HTTP OPTIONS 返回所有方法(获取、放置、发布、删除、跟踪、头部、选项)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！