Blueherb In solitude, where we are least alone 王佳鑫

启用TRACE方法

测试方法
curl -i -s -k -X $'TRACE' \ -H $'Host: 10.10.10.10:8443' -H $'User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:67.0) Gecko/20100101 Firefox/67.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' -H $'Accept-Encoding: gzip, deflate' -H $'Referer: https://10.10.10.114:8443/SafeAssets/admin/login;JSESSIONID=ac26d246-75c0-4d86-b51e-66de02d94622' -H $'Upgrade-Insecure-Requests: 1' -H $'Cache-Control: max-age=0' -H $'Te: trailers' -H $'Connection: close' \ -b $'JSESSIONID=ac26d246-75c0-4d86-b51e-66de02d94622' \$'https://10.10.10.10:8443/ass/'

解决方案:
在过滤器里增加 trace 直接返回 - - - 需要tomcat 启用trace,在server.xml中添加 allowTrace="true" 并且在web.xml里 不要添加 TRACE,保证trace 在tomcat 里放行,在java代码里处理。

tomcat,web.xml配置修改:

点击查看代码 
<security-constraint>
        <web-resource-collection>
               <web-resource-name>fortune</web-resource-name>
                                <url-pattern>/*</url-pattern>
                                <http-method>PUT</http-method>
                                <http-method>DELETE</http-method>
                                <http-method>HEAD</http-method>
                                <http-method>OPTIONS</http-method>
                                <!-- <http-method>TRACE</http-method>-->
              </web-resource-collection>
        <auth-constraint></auth-constraint>
     </security-constraint>
server.xml配置文件修改
点击查看代码 
 <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
     connectionTimeout="8000"
               maxThreads="150"
        SSLEnabled="true"
        scheme="https"
        clientAuth="false"
        secure="true"
        allowTrace="true"
        sslProtocol="TLS"
        sslEnabledProtocols="TLSv1.2,TLSv1.3"
        ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
                          keystoreFile="tomcat.keystore" keystorePass="aaQQ11@@">

    </Connector>

java代码:

点击查看代码 
public class CsrfFilter implements Filter {
 HttpServletRequest httpReq = (HttpServletRequest) request;
        HttpServletResponse httpResponse = (HttpServletResponse)response;
String method = httpReq.getMethod();
log.error("----------------method:{}------",method);
if (method.toLowerCase().contains("trace")) {
    log.info("本次请求是 trace请求,请求直接返回");
    httpResponse.setStatus(405);
    return;
}
    chain.doFilter(httpReq, httpResponse);
}

注:tomcat 默认 allowTrace = false 。
本地测试需要注入bean,springboot内置tomcat 支持TRACE方法:

点击查看代码 
@Bean
public WebServerFactoryCustomizer<TomcatServletWebServerFactory> tomcatCustomizer() {
    return customizer -> customizer.addConnectorCustomizers(connector -> {
        connector.setAllowTrace(true);
    });
}
posted @ 2022-05-23 10:05  阿呆学习之路  阅读(475)  评论(2编辑  收藏  举报