如何在 JBoss 中禁用 HTTP OPTIONS 方法? [英] How to disable HTTP OPTIONS Method in JBoss?

问题描述

我正在尝试禁用 JBOSS HTTP OPTIONS 方法.在 JBoss 的 web.xml 中使用以下语法，我可以禁用除 OPTIONS 之外的所有 http 方法.有没有办法成功禁用http-method OPTIONS?

I'm trying to disable JBOSS HTTP OPTIONS method. Using the following syntax in the web.xml in JBoss, I can disable all the http-method except OPTIONS. Is there a way to successfully disable http-method OPTIONS?

点击这里截图

<security-constraint>  
<web-resource-collection>  
    <web-resource-name>Restricted</web-resource-name>  
    <description>Declarative security tests</description>  
    <url-pattern>/EVE/*</url-pattern>       
    <http-method>PUT</http-method>  
    <http-method>DELETE</http-method>
    <http-method>OPTIONS</http-method>
    <http-method>TRACE</http-method>    
</web-resource-collection>  
<auth-constraint>  
    <description>Only authenticated users can access secure content</description>  
    <role-name>AuthorizedUser</role-name>  
</auth-constraint>  
<user-data-constraint>  
    <description>no description</description>  
    <transport-guarantee>NONE</transport-guarantee>  
</user-data-constraint>  
</security-constraint>  <security-constraint>  
<web-resource-collection>  
    <web-resource-name>Restricted 2</web-resource-name>  
    <description>Declarative security tests</description>  
    <url-pattern>/*</url-pattern>        
    <http-method>PUT</http-method>  
    <http-method>DELETE</http-method> 
    <http-method>OPTIONS</http-method>
    <http-method>TRACE</http-method>  
</web-resource-collection>  
<auth-constraint>  
    <description>Only authenticated users can access secure content</description>  
    <role-name>AuthorizedUser</role-name>  
</auth-constraint>  
<user-data-constraint>  
    <description>no description</description>  
    <transport-guarantee>NONE</transport-guarantee>  
</user-data-constraint>  
</security-constraint>

推荐答案

Option 1 - Using RewriteValve(可以全局应用)

Option 1 - Using RewriteValve (can apply globally)

您可以使用 RewriteValve 来禁用 http 方法.查看文档.您将需要一个 RewriteCond 指令和一个 RewriteRule.

You can use RewriteValve to disable the http methods. Take a look at documentation. You will need one RewriteCond directive and one RewriteRule.

在您的 RewriteCond 指令中，您可以使用 REQUEST_METHOD 服务器变量指定所有方法，例如:

In your RewriteCond directive you could specify all methods with use of the REQUEST_METHOD server variable, for example:

RewriteCond %{REQUEST_METHOD} ^(PUT|DELETE|TRACE|OPTIONS)$ [NC]

然后您的 RewriteRule 可以将这些标记为禁止(它立即发回 403 (FORBIDDEN) 的 HTTP 响应)，例如:

then your RewriteRule can mark those as forbidden (it immediately sends back a HTTP response of 403 (FORBIDDEN)), for example:

RewriteRule .* - [F]

如果是 Jboss EAP 6

In case of Jboss EAP 6

<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
    <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
    <virtual-server name="default-host" enable-welcome-root="true">
        <rewrite pattern=".*" substitution="-" flags="F">
            <condition test="%{REQUEST_METHOD}" pattern="^(PUT|DELETE|TRACE|OPTIONS)$" flags="NC" />
    </rewrite>
    </virtual-server>
</subsystem>

除此之外，如上述答案所述，可以通过 web.xml 每次战争完成.

Apart from this as said in above answer it can be done via web.xml per war wise.

要检查以上使用

curl -v -X TRACE http://hostname:port/appContext
curl -v -X DELETE http://hostname:port/appContex

这篇关于如何在 JBoss 中禁用 HTTP OPTIONS 方法?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！