我正在尝试使用 web.xml 安全约束元素阻止未使用的 http 方法(OPTIONS、TRACE、DELETE)。但它阻止了所有现有资源并抛出 302 响应。
我的 web.xml 如下所示。
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<display-name>eServices</display-name>
<filter>
<filter-name>sessionvalidator</filter-name>
<filter-class>util.SessionFilter</filter-class>
<init-param>
<param-name>avoid-urls</param-name>
<param-value>/index.jsp</param-value>
</init-param>
</filter>
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
</filter>
<filter-mapping>
<filter-name>sessionvalidator</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<session-config>
<session-timeout>120</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<taglib>
<taglib-uri>/dateFormat</taglib-uri>
<taglib-location>/WEB-INF/tlds/customfunctions.tld</taglib-location>
</taglib>
<security-constraint>
<display-name>Restricted</display-name>
<web-resource-collection>
<web-resource-name>restrictAccess</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
</web-app>
这会阻止所有 GET 请求。最初我尝试添加 GET、PUT、POST 只是为了接受请求,后来尝试了几乎所有方式。
<security-constraint>
<display-name>Restricted</display-name>
<web-resource-collection>
<web-resource-name>restrictAccess</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
</web-resource-collection>
</security-constraint>
仅供参考,这里没有使用任何角色和身份验证。