background
The only request methods in the project are GET and POST requests. For security reasons, it is planned to disable the TRACE, HEAD, PUT, DELETE, and OPTIONS request methods.
achieve
Add the request method restriction at the end of the tomcat web.xml configuration file, the configuration is as follows, the tomcat8 used this time
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>
The main purpose here is to restrict the server to only accept GET and POST requests without other permission restrictions. This configuration can be satisfied.
problem
After testing, all request methods except TRACE request were successfully intercepted. The TRACE request returns 405 method not allowed, which means that TRACE has not been intercepted. By check information Connector There is a allowTrace attributes found here disabled by default trace request, allowTrace set to true you can limit the TRACE request, as to why, I understand that the Connector higher priority than the security-constraint configuration.
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" allowTrace="true"/>The above are all personal understanding, welcome to make a brick!