Tomcat security-constraints TRACE 不一致 [英] Tomcat security-constraints TRACE inconsistent

问题描述

我正在使用 web.xml 尝试禁用我们没有使用的 HTTP 方法，并返回一个不包含任何 tomcat 信息的正文.

I'm using a web.xml to try and disable the HTTP methods we're not using and to return a body that doesn't contain any tomcat info.

所以我将应用程序的 web.xml 更改为:

So I've changed the web.xml of the app to have:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>restricted methods</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>TRACE</http-method>
        <http-method>PUT</http-method>
        <http-method>OPTIONS</http-method>
        <http-method>DELETE</http-method>
        <http-method>HEAD</http-method>
    </web-resource-collection>
    <auth-constraint />
</security-constraint>

因此，被阻止的方法返回 403 且主体为空，禁止使用.但 TRACE 返回 405 和 Tomcat HTML 页面.

So the blocked methods are returning 403 with an empty body, for forbidden. But TRACE is returning a 405 with a Tomcat HTML page.

我尝试通过 ErrorServlet 重定向所有错误:

I tried redirecting all errors through an ErrorServlet with:

<error-page>
    <location>/ErrorServlet</location>
</error-page>

这只是确保内容体为 0.但这似乎并没有拦截这些.

Which just makes sure that the content body is 0. But that doesn't seem to intercept these.

那么为什么 TRACE 会受到不同的对待?

So why is TRACE being treated differently?

谢谢

推荐答案

这对我来说非常有意义，因为在除 TRACE 之外的所有情况下，您都在提交对由 URL 和代码 403 标识的 Web 资源的请求，这意味着对资源的访问被拒绝.尝试使用允许的方法访问相同的资源.可能他们也被禁止了?

It makes perfect sense to me, because in all cases except TRACE you're submitting a requests for a web resource identified by a URL and code 403 means that an access to the resource is denied. Try to get access to the same resource using allowed methods. Probably it's forbidden for them as well?

另一方面，TRACE 不需要访问任何资源，它只是回应客户端的输入，因此 405(不允许方法")看起来适合这种情况.

TRACE on the other hand doesn't require an access to any resource, it simply echoes the client's input, so 405 ("METHOD NOT ALLOWED") looks appropriate for this case.

拥有自定义错误页面是个好主意.可以在此处找到每个错误代码的特定示例:https://serverfault.com/questions/254102/custom-error-pages-on-apache-tomcat

It's a good idea to have custom error pages. Examples specific for each error code can be found here: https://serverfault.com/questions/254102/custom-error-pages-on-apache-tomcat

这篇关于Tomcat security-constraints TRACE 不一致的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！