远端WWW服务支持TRACE请求 漏洞修复

远端WWW服务支持TRACE请求 漏洞修复

内置 tomcat 服务

@Bean
public ConfigurableServletWebServerFactory configurableServletWebServerFactory() {
    TomcatServletWebServerFactory factory = new TomcatServletWebServerFactory();
    factory.addContextCustomizers(context -> {
        SecurityConstraint securityConstraint = new SecurityConstraint();
        securityConstraint.setUserConstraint("CONFIDENTIAL");
        SecurityCollection collection = new SecurityCollection();
        collection.addPattern("/*");
        collection.addMethod("HEAD");
        collection.addMethod("PUT");
        collection.addMethod("DELETE");
        collection.addMethod("OPTIONS");
        collection.addMethod("TRACE");
        collection.addMethod("COPY");
        collection.addMethod("SEARCH");
        collection.addMethod("PROPFIND");
        securityConstraint.addCollection(collection);
        context.addConstraint(securityConstraint);
    });
    return factory;
}

内置 Undertow 服务

/**
 * @author zhanglei
 */
@Configuration
public class UndertowConfig implements WebServerFactoryCustomizer<UndertowServletWebServerFactory> {
    @Override
    public void customize(UndertowServletWebServerFactory factory) {
        factory.addBuilderCustomizers(builder -> builder.setServerOption(UndertowOptions.ALLOW_UNESCAPED_CHARACTERS_IN_URL, Boolean.TRUE));
        factory.addBuilderCustomizers(builder -> builder.setServerOption(UndertowOptions.ALLOW_EQUALS_IN_COOKIE_VALUE, Boolean.TRUE));
        factory.addBuilderCustomizers(builder -> builder.setServerOption(UndertowOptions.ALLOW_ENCODED_SLASH, Boolean.TRUE));
        factory.addDeploymentInfoCustomizers(deploymentInfo -> {
            WebResourceCollection webResourceCollection = new WebResourceCollection();
            webResourceCollection.addUrlPattern("/*");
            webResourceCollection.addHttpMethod(HttpMethod.HEAD.toString());
            webResourceCollection.addHttpMethod(HttpMethod.PUT.toString());
            webResourceCollection.addHttpMethod(HttpMethod.PATCH.toString());
            webResourceCollection.addHttpMethod(HttpMethod.DELETE.toString());
            webResourceCollection.addHttpMethod(HttpMethod.OPTIONS.toString());
            webResourceCollection.addHttpMethod(HttpMethod.TRACE.toString());

            SecurityConstraint constraint = new SecurityConstraint();
            constraint.addWebResourceCollection(webResourceCollection);

            deploymentInfo.addSecurityConstraint(constraint);
        });
    }