如何在Tomcat 7中禁用TRACE,OPTIONS http方法的测试 [英] How to TEST if TRACE, OPTIONS http methods are disabled in Tomcat 7
问题描述
我正在尝试在Tomcat级别禁用TRACE和OPTIONS方法.我一直在尝试不同的方法来实现此目的,但是在测试过程中的所有情况下都得到相同的结果.我对telnet(或任何网络)不是很熟悉,但是我在cmd提示符下的测试方式是"telnet localhost 8080",然后粘贴TRACE/HTTP/1.0,然后按Enter键两次.任何帮助将不胜感激.
I am trying to disable TRACE and OPTIONS methods in the Tomcat level. I've been trying out different ways to implement this but get the same result on all cases during testing. I'm not very familiar with telnet (or any networking) but my manner of testing in cmd prompt is "telnet localhost 8080", then I paste the TRACE / HTTP/1.0 then press enter twice. Any help is greatly appreciated.
1.)CATALINA_HOME/conf/web.xml中的无更改
1.) NO CHANGES in CATALINA_HOME/conf/web.xml
2.)在CATALINA_HOME/conf/web.xml中添加安全约束
2.) Adding security constraint in CATALINA_HOME/conf/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>All Access</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
3.)在CATALINA_HOME/conf/server.xml的Connector标记中添加allowTrace ="false"
3.) Add allowTrace="false" in Connector tag of CATALINA_HOME/conf/server.xml
4.)在CATALINA_HOME/conf/server.xml&的连接器标记中添加allowTrace ="false". 将XML添加到CATALINA_HOME/conf/web.xml的Default Servlet标记中
4.) Add allowTrace="false" in Connector tag of CATALINA_HOME/conf/server.xml & Add xml to CATALINA_HOME/conf/web.xml's Default Servlet tag
<init-param>
<param-name>readonly</param-name>
<param-value>true</param-value>
</init-param>
所有案例的结果
TRACE/HTTP/1.0(找不到404)
TRACE / HTTP/1.0 (404 Not Found)
选项/HTTP/1.0(找不到404)
OPTIONS / HTTP/1.0 (404 Not Found)
TRACE/(网络服务名称)HTTP/1.0(找到302)
TRACE /(name of webservice) HTTP/1.0 (302 Found)
选项/(网络服务名称)HTTP/1.0(找到302)
OPTIONS /(name of webservice) HTTP/1.0 (302 Found)
Tomcat都会通过发出 shutdown.bat 和 startup.bat 重新启动.我显然做错了(测试/配置),因为无论更改什么,我都会得到相同的结果.我已经读到我应该期待405错误来表示http方法已被禁用.
Tomcat was restarted after every change by issuing shutdown.bat and startup.bat. I'm obviously doing something wrong (testing/config) because I get the same result no matter what I change. I've read that I should be expecting a 405 error to signify that the http methods have been disabled.
推荐答案
当您没有部署ROOT Web应用程序时,这些结果是预期的.如果您遵循重定向,则会获得对有效资源的302响应,您将开始看到405响应.
Those results are as expected when you don't have a ROOT web application deployed. If you follow the redirect you get with the 302 responses to a valid resource you'll start to see the 405 responses.
这取决于Tomcat执行各种检查的顺序,并且Mapper是处理请求的第一批组件之一(它确定将请求路由到的Host,Web应用程序和Servlet).
It comes down to the order that Tomcat performs the various checks and that the Mapper is one of the first components to process a request (it determines the Host, web application and Servlet to route the request to).
前两个返回404,因为您没有默认的Web应用程序. Mapper会尽早返回404(以提高效率),因此您不会得到检查TRACE是否已启用的代码.
The first 2 return 404s because you don't have a default web application. The Mapper returns a 404 as early as possible (for efficiency) so you don't get as far as the code that checks to see if TRACE is enabled.
第二个2返回302s,因为映射器再次将/web-service重定向到/name-web-service/.再次,这种情况尽早发生,并且再次发生在检查是否启用TRACE之前.
The second 2 return 302s because again the Mapper is redirecting /name-of-web-service to /name-of-web-service/. Again this happens as early as possible and again it is before the checks to see if TRACE is enabled.
如果使用存在的路径进行测试,您应该会看到预期的405.
If you perform you tests with a path that exists, you should see the 405 you expect.
这篇关于如何在Tomcat 7中禁用TRACE,OPTIONS http方法的测试的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
