如何在JBoss中禁用HTTP OPTIONS方法？

Question

我正在尝试禁用JBOSS HTTP选项方法。在JBoss的web.xml中使用以下语法，我可以禁用除选项之外的所有http方法。有没有办法成功禁用http-method选项？

click here for screenshot

<security-constraint>  
<web-resource-collection>  
    <web-resource-name>Restricted</web-resource-name>  
    <description>Declarative security tests</description>  
    <url-pattern>/EVE/*</url-pattern>       
    <http-method>PUT</http-method>  
    <http-method>DELETE</http-method>
    <http-method>OPTIONS</http-method>
    <http-method>TRACE</http-method>    
</web-resource-collection>  
<auth-constraint>  
    <description>Only authenticated users can access secure content</description>  
    <role-name>AuthorizedUser</role-name>  
</auth-constraint>  
<user-data-constraint>  
    <description>no description</description>  
    <transport-guarantee>NONE</transport-guarantee>  
</user-data-constraint>  
</security-constraint>  <security-constraint>  
<web-resource-collection>  
    <web-resource-name>Restricted 2</web-resource-name>  
    <description>Declarative security tests</description>  
    <url-pattern>/*</url-pattern>        
    <http-method>PUT</http-method>  
    <http-method>DELETE</http-method> 
    <http-method>OPTIONS</http-method>
    <http-method>TRACE</http-method>  
</web-resource-collection>  
<auth-constraint>  
    <description>Only authenticated users can access secure content</description>  
    <role-name>AuthorizedUser</role-name>  
</auth-constraint>  
<user-data-constraint>  
    <description>no description</description>  
    <transport-guarantee>NONE</transport-guarantee>  
</user-data-constraint>  
</security-constraint>

Answer 1

选项1-使用RewriteValve (可全局应用)

可以使用RewriteValve禁用http方法。看看documentation吧。您将需要一个RewriteCond指令和一个RewriteRule。

在RewriteCond指令中，您可以使用REQUEST_METHOD服务器变量指定所有方法，例如：

RewriteCond %{REQUEST_METHOD} ^(PUT|DELETE|TRACE|OPTIONS)$ [NC]

然后，您的RewriteRule可以将这些标记为禁止的(它立即返回一个403 (禁止的)的HTTP响应)，例如：

RewriteRule .* - [F]

如果是Jboss EAP 6

<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
    <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
    <virtual-server name="default-host" enable-welcome-root="true">
        <rewrite pattern=".*" substitution="-" flags="F">
            <condition test="%{REQUEST_METHOD}" pattern="^(PUT|DELETE|TRACE|OPTIONS)$" flags="NC" />
    </rewrite>
    </virtual-server>
</subsystem>

除此之外，正如在上面的回答中所说的，它可以通过每个战争的web.xml完成。

要检查以上内容，请使用

curl -v -X TRACE http://hostname:port/appContext
curl -v -X DELETE http://hostname:port/appContex

Answer 2

here are the following ways to limit HTTP methods in a web application:

1. Adding security constraints in web.xml

<security-constraint>
    <web-resource-collection>
        <web-resource-name>NoAccess</web-resource-name>
        <url-pattern>/*</url-pattern>
          <http-method>DELETE</http-method>
          <http-method>TRACE</http-method>
          <http-method>OPTIONS</http-method>
    </web-resource-collection>
    <auth-constraint/>
</security-constraint>

Here DELETE, TRACE and OPTIONS are restricted for all urls. curl -kvv -X DELETE <url> will give 403 Forbidden

2. Using Rewrite rules in domain.xml 

<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
    <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
    <virtual-server name="default-host" enable-welcome-root="true">
        <rewrite pattern=".*" substitution="-" flags="F">
            <condition test="%{REQUEST_METHOD}" pattern="^(DELETE|TRACE|OPTIONS)$" flags="NC" />
    </rewrite>
    </virtual-server>
</subsystem>

3. Using mod_rewrite in httpd
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(DELETE|TRACE|OPTIONS)$ [NC]
    RewriteRule .* - [F]

Answer 3

我建议使用mod_rewrite。它更干净。