如何在JBoss中禁用HTTP OPTIONS方法? [英] How to disable HTTP OPTIONS Method in JBoss?
问题描述
我正在尝试禁用JBOSS HTTP OPTIONS方法。在JBoss的web.xml中使用以下语法,我可以禁用除OPTIONS之外的所有http方法。有没有办法成功禁用http-method OPTIONS?
I'm trying to disable JBOSS HTTP OPTIONS method. Using the following syntax in the web.xml in JBoss, I can disable all the http-method except OPTIONS. Is there a way to successfully disable http-method OPTIONS?
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted</web-resource-name>
<description>Declarative security tests</description>
<url-pattern>/EVE/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint>
<description>Only authenticated users can access secure content</description>
<role-name>AuthorizedUser</role-name>
</auth-constraint>
<user-data-constraint>
<description>no description</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint> <security-constraint>
<web-resource-collection>
<web-resource-name>Restricted 2</web-resource-name>
<description>Declarative security tests</description>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint>
<description>Only authenticated users can access secure content</description>
<role-name>AuthorizedUser</role-name>
</auth-constraint>
<user-data-constraint>
<description>no description</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
推荐答案
选项1 - 使用RewriteValve(可全局申请)
Option 1 - Using RewriteValve (can apply globally)
您可以使用RewriteValve来禁用http方法。请查看文档。您将需要一个RewriteCond指令和一个RewriteRule。
You can use RewriteValve to disable the http methods. Take a look at documentation. You will need one RewriteCond directive and one RewriteRule.
在RewriteCond指令中,您可以使用REQUEST_METHOD服务器变量指定所有方法,例如:
In your RewriteCond directive you could specify all methods with use of the REQUEST_METHOD server variable, for example:
RewriteCond %{REQUEST_METHOD} ^(PUT|DELETE|TRACE|OPTIONS)$ [NC]
然后你的RewriteRule可以将它们标记为禁止(它会立即发回403响应(FORBIDDEN)),例如:
then your RewriteRule can mark those as forbidden (it immediately sends back a HTTP response of 403 (FORBIDDEN)), for example:
RewriteRule .* - [F]
如果是Jboss EAP 6
In case of Jboss EAP 6
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<virtual-server name="default-host" enable-welcome-root="true">
<rewrite pattern=".*" substitution="-" flags="F">
<condition test="%{REQUEST_METHOD}" pattern="^(PUT|DELETE|TRACE|OPTIONS)$" flags="NC" />
</rewrite>
</virtual-server>
</subsystem>
除此之外,如上所述,可以通过每个战争的web.xml来完成。
Apart from this as said in above answer it can be done via web.xml per war wise.
要检查上面的使用
curl -v -X TRACE http://hostname:port/appContext
curl -v -X DELETE http://hostname:port/appContex
这篇关于如何在JBoss中禁用HTTP OPTIONS方法?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!