0

我有一个带有 SpringSecurity 项目的 spring-boot 1.3.0-BUILD-SNAPSHOT,我担心 REST 端点的安全性。我定义了一个 CORS 过滤器:

@Configuration
public class CorsConfiguration {

    @Bean
    public WebMvcConfigurer corsConfigurer() {

        return new WebMvcConfigurerAdapter() {

            @Override
            public void addCorsMappings(CorsRegistry registry) {

                registry.addMapping( "/**" ).allowedOrigins( "*" )
                        .allowedHeaders( "Access-Control-Allow-Origin", "*"          )       "x-requested-with" )
                        .allowedHeaders("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE")
                        .allowedMethods("GET", "POST", "PUT", "DELETE")
                        .allowedMethods("Access-Control-Allow-Headers", "Content-Type")
                        .maxAge( 3600);

            }

        };
    }
}

我有一个 REST 控制器:

@Controller
@Transactional
public class Controller extends BaseController {

    @Autowired
    private QuestionService questionService;

    @RequestMapping(value = "/questions", method = RequestMethod.GET)
    @ResponseBody
    public List<Question> getAllQuestions() {
        return questionService.getAllAvailableQuestions();
    }

  ...
}

但是,当我使用 OPTIONS 调用到达其中一个端点时,我得到的结果似乎不仅仅允许 GET 这个端点定义的:

Allow → GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH
Cache-Control → no-cache, no-store, max-age=0, must-revalidate
Content-Length → 0
Date → Wed, 28 Oct 2015 16:32:12 GMT
Expires → 0
Pragma → no-cache
Server → Apache-Coyote/1.1
X-CSRF-HEADER → X-CSRF-TOKEN
X-CSRF-PARAM → _csrf
X-CSRF-TOKEN → 83983056-f904-449e-a215-fe9f9492866b
X-Content-Type-Options → nosniff
X-Frame-Options → DENY
X-XSS-Protection → 1; mode=block

我认为 Spring MVC 默认会忽略 OPTIONS 调用。但我想我也不明白为什么Allow → GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH当我只允许 GET 进行该调用时我会看到被返回。在整个应用程序中,我只允许 GET、PUT、POST、DELETE,所以我不知道为什么会返回其他值,以及这意味着什么。最重要的是,这是一个安全漏洞吗?

4

2 回答 2

3

If you take a look at JavaDoc of BaseFrameworkServlet#setDispatchOptionsRequest() it contains following comment:

Set whether this servlet should dispatch an HTTP OPTIONS request to the #doService method Default is "false", applying javax.servlet.http.HttpServlet's default behavior (i.e. enumerating all standard HTTP request methods as a response to the OPTIONS request).

But I guess I also don't understand why I am seeing Allow → GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH being returned when I only allow GET for that call.

As mentioned in the comment above, the request is not handled by Spring MVC dispatcher, but by HttpServletRequest#doOptions, which enumerates HTTP methods the server supports and knows nothing about your controller mapping.

If you want to verify this behavior you can put breakpoints in DispatcherServlet's doService method and HttpServlets doOptions method and see which one gets called. If you want OPTIONS request to be handled by the dispatcher, you can enable it using one of the ways described here.

于 2015-10-28T19:20:08.847 回答
0

对于 Spring Boot 应用程序,将以下属性添加到application.properties文件:

spring.mvc.dispatch-options-request=true

它会完成这项工作。

于 2016-03-03T07:46:40.147 回答