远端WWW服务支持TRACE请求 漏洞修复
内置 tomcat 服务
@Bean
public ConfigurableServletWebServerFactory configurableServletWebServerFactory() {
TomcatServletWebServerFactory factory = new TomcatServletWebServerFactory();
factory.addContextCustomizers(context -> {
SecurityConstraint securityConstraint = new SecurityConstraint();
securityConstraint.setUserConstraint("CONFIDENTIAL");
SecurityCollection collection = new SecurityCollection();
collection.addPattern("/*");
collection.addMethod("HEAD");
collection.addMethod("PUT");
collection.addMethod("DELETE");
collection.addMethod("OPTIONS");
collection.addMethod("TRACE");
collection.addMethod("COPY");
collection.addMethod("SEARCH");
collection.addMethod("PROPFIND");
securityConstraint.addCollection(collection);
context.addConstraint(securityConstraint);
});
return factory;
}
内置 Undertow 服务
/**
* @author zhanglei
*/
@Configuration
public class UndertowConfig implements WebServerFactoryCustomizer<UndertowServletWebServerFactory> {
@Override
public void customize(UndertowServletWebServerFactory factory) {
factory.addBuilderCustomizers(builder -> builder.setServerOption(UndertowOptions.ALLOW_UNESCAPED_CHARACTERS_IN_URL, Boolean.TRUE));
factory.addBuilderCustomizers(builder -> builder.setServerOption(UndertowOptions.ALLOW_EQUALS_IN_COOKIE_VALUE, Boolean.TRUE));
factory.addBuilderCustomizers(builder -> builder.setServerOption(UndertowOptions.ALLOW_ENCODED_SLASH, Boolean.TRUE));
factory.addDeploymentInfoCustomizers(deploymentInfo -> {
WebResourceCollection webResourceCollection = new WebResourceCollection();
webResourceCollection.addUrlPattern("/*");
webResourceCollection.addHttpMethod(HttpMethod.HEAD.toString());
webResourceCollection.addHttpMethod(HttpMethod.PUT.toString());
webResourceCollection.addHttpMethod(HttpMethod.PATCH.toString());
webResourceCollection.addHttpMethod(HttpMethod.DELETE.toString());
webResourceCollection.addHttpMethod(HttpMethod.OPTIONS.toString());
webResourceCollection.addHttpMethod(HttpMethod.TRACE.toString());
SecurityConstraint constraint = new SecurityConstraint();
constraint.addWebResourceCollection(webResourceCollection);
deploymentInfo.addSecurityConstraint(constraint);
});
}
文章评论