zoukankan      html  css  js  c++  java
  • How to disable certain HTTP methods (PUT, DELETE, TRACE and OPTIONS) in JBOSS7 .

    Resolution

    Option 1 -Using RewriteValve (can apply globally)

    You can use RewriteValve to disable the http methods. Take a look atdocumentation http://docs.jboss.org/jbossweb/2.1.x/rewrite.html.You will need one RewriteCond directive and one RewriteRule.

    In your RewriteCond directive you could specify all methods with use of the REQUEST_METHOD servervariable, for example:

    RewriteCond %{REQUEST_METHOD} ^(PUT|DELETE|TRACE|OPTIONS)$ [NC]

    then your RewriteRule can mark those as forbidden (it immediately sends back aHTTP response of 403 (FORBIDDEN)), for example:

    RewriteRule .* - [F]

    For EAP6:

    RewriteValve can be configured asglobal valve in domain.xml or standalone.xml. You can add the <rewrite> tag to the <virtual-server> configuration of the web subsystem.

    .. ..

    <subsystem xmlns="urn:jboss:domain:web:1.1"default-virtual-server="default-host" native="false">

        <connector name="http" protocol="HTTP/1.1"scheme="http" socket-binding="http"/>

        <virtual-server name="default-host"enable-welcome-root="true">

            <rewritepattern=".*" substitution="-" flags="F">

               <condition test="%{REQUEST_METHOD}"pattern="^(PUT|DELETE|TRACE|OPTIONS)$" flags="NC" />

        </rewrite>

        </virtual-server>

    </subsystem>

    .. ..

    Option 2 - web.xml Security constraints(per WAR)

    This can be done by adding security constraints to theapplication's web.xml. For example:

    .. ..

    <security-constraint>

        <web-resource-collection>

           <web-resource-name>NoAccess</web-resource-name>

           <url-pattern>/*</url-pattern>

             <http-method>DELETE</http-method>

             <http-method>PUT</http-method>

             <http-method>OPTIONS</http-method>

             <http-method>TRACE</http-method>

             <http-method>POST</http-method>

        </web-resource-collection>

        <auth-constraint/>

    </security-constraint>

    .. ..

    In the above example, access the following http requests DELETE, PUT, OPTIONS, POST aredisabled by default.

    You can also restrict all methods other than explicitlyallowed ones by doing like:

    .. ..

    <security-constraint>

        <web-resource-collection>

           <web-resource-name>NoAccess</web-resource-name>

           <url-pattern>/*</url-pattern>   

        </web-resource-collection>   

        <auth-constraint/>

    </security-constraint>

    <security-constraint> 

        <web-resource-collection>    

            <web-resource-name>AllowedMethods</web-resource-name>    

            <url-pattern>/*</url-pattern>    

              <http-method>GET</http-method>

             <http-method>POST</http-method>

             <http-method>HEAD</http-method>

        </web-resource-collection>

    </security-constraint>

    .. ..

    See the Java ServletSpecification and also The Java EE 5Tutorial - "Declaring Security Requirements in a DeploymentDescriptor" for more information.

    Option 3 -Using Apache httpd mod_rewrite in front of JBoss

    If you are fronting JBoss with Apache httpd, you can alsoapply the above rewrite rules in the httpd.conf.:

    For example:

    RewriteEngine On

     

    RewriteCond %{REQUEST_METHOD} ^(PUT|DELETE|TRACE|OPTIONS)$ [NC]

    RewriteRule .* - [F]

    To verify theabove configuration:

    You can use curl command to test if the configuration change iseffective: For example:

    curl -v -XTRACE http://hostname:port/appContext

    curl -v -XDELETE http://hostname:port/appContex

  • 相关阅读:
    浅谈ruby中的block及yield
    Node.js使用TCP通讯
    JavaScript垃圾回收机制
    node.js的Promise库-bluebird示例
    使用pkg打包Node.js应用的方法步骤
    windows server 2012 安装 VC14(VC2015) 安装失败解决方案
    pm2命令,端口查询,mongodb服务启动,nginx服务启动,n模块的使用,搭建nodejs服务器环境,搭建oracledb服务器环境 linux的环境搭建
    linux+node.js+redis+mongodb+nginx环境的搭建
    nginx.exe启动错误:bind() to 0.0.0.0:80 failed (10013: An attempt was made to access a socket in a way forbidden by its access permissions)
    windows下nginx的安装及使用
  • 原文地址:https://www.cnblogs.com/firstdream/p/5955406.html
Copyright © 2011-2022 走看看