java - tomcat(7、8)自定义403页面不跳转,且与禁用HTTP方法冲突。
阿神
阿神 2017-04-18 09:44:27
0
0
593

一个B/S系统进行安全测评,返回结果要求禁用一些不常用的HTTP方法(PUT、DELTETE、OPTIONS等),按照网上的方法,在应用的web.xml的最后添加如下代码:

<!--安全配置 start -->
<security-constraint>
    <web-resource-collection>
        <url-pattern>/*</url-pattern>
        <http-method>PUT</http-method>
        <http-method>DELETE</http-method>
        <http-method>HEAD</http-method>
        <http-method>OPTIONS</http-method>
        <http-method>TRACE</http-method>
    </web-resource-collection>
    <auth-constraint/>
</security-constraint>
<login-config>
    <auth-method>BASIC</auth-method>
</login-config>
<!--安全配置 end-->

上面的几个HTTP方法有效被禁用,但请求会跳转到tomcat的403页面,如下图:

按照测试要求,上图红色部分暴露的tomcat的版本,应该自定义403页面以屏蔽版本,于是在上面的安全配置后添加如下代码:

<error-page>
    <error-code>404</error-code>
    <location>/sys/404.html</location>
</error-page>
<error-page>
    <error-code>403</error-code>
    <location>/sys/403.html</location>
</error-page>

结果是。。。。。。。。。。根本没用,并且HTTP的限制也不起作用了。
试了一番,发现404,500等error-code都正常,并且与HTTP限制不冲突。
只要加上403,HTTP方法就限制不了,并且也不会跳转到自定义的403.html。

完整web.xml如下:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
                      http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
         version="3.1">
    <!--安全配置 start-->
    <display-name>BISMFramework</display-name>
    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
    </welcome-file-list>

    <!--安全配置 end -->
    <!--############################ 服务器基本配置  start ############################-->

    <!--会话超时配置,单位分钟-->
    <session-config>
        <session-timeout>-1</session-timeout>
    </session-config>
    <!--############################ 服务器基本配置  end ############################-->

    <!--############################ Spring MVC配置  start ############################-->
    <servlet>
        <servlet-name>springmvc</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>classpath:spring-mvc.xml</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>springmvc</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

    <!--处理编码,将请求的编码转换为utf-8-->
    <filter>
        <filter-name>encodingFilter</filter-name>
        <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
        <init-param>
            <param-name>encoding</param-name>
            <param-value>utf-8</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>encodingFilter</filter-name>
        <url-pattern>/</url-pattern>
    </filter-mapping>
    <!--############################ Spring MVC配置  end ############################-->

    <!--############################ Spring配置 start ############################-->
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <!-- 指定Spring Bean的配置文件所在目录。默认配置在WEB-INF目录下 -->
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>classpath:applicationContext.xml</param-value>
    </context-param>
    <!--############################ Spring配置 end ############################-->
    <!--安全配置 start -->
    <security-constraint>
        <web-resource-collection>
            <url-pattern>/*</url-pattern>
            <http-method>PUT</http-method>
            <http-method>DELETE</http-method>
            <http-method>HEAD</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
        </web-resource-collection>
        <auth-constraint/>
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
    </login-config>
    <!--安全配置 end-->
    <error-page>
        <error-code>404</error-code>
        <location>/sys/404.html</location>
    </error-page>
    <error-page>
        <error-code>403</error-code>
        <location>/sys/403.html</location>
    </error-page>
</web-app>
阿神
阿神

闭关修行中......

Antworte allen(0)
Neueste Downloads
Mehr>
Web-Effekte
Quellcode der Website
Website-Materialien
Frontend-Vorlage