原文链接

如何在Jetty中禁用Trace方法

HTTP TRACE

http trace方法说明

TRACE和TRACK是用来调试web服务器连接的HTTP方式。
支持该方式的服务器存在跨站脚本漏洞，通常在描述各种浏览器缺陷的时候，把"Cross-Site-Tracing"简称为XST。
攻击者可以利用此漏洞欺骗合法用户并得到他们的私人信息。
解决方案: 禁用这些方式。

Jetty禁用trace方法

非内嵌式Jetty

如果需要完全禁用，可以设置安全约束，即在jetty.xml中增加配置：

<security-constraint>
    <web-resource-collection>
        <web-resource-name>NoTrace</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>TRACE</http-method>
    </web-resource-collection>
    <auth-constraint></auth-constraint>
</security-constraint>

Springboot内嵌式Jetty

采用过滤器过滤所有的trace请求：

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

@WebFilter(urlPatterns = "/*", filterName = "jettyFilter")
public class JettyFilter implements Filter {

    private Logger logger = LoggerFactory.getLogger(JettyFilter.class);

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest httpRequest = (HttpServletRequest) request;
        HttpServletResponse httpResponse = (HttpServletResponse) response;
        logger.info("拦截器执行-----");
        if ("TRACE".equalsIgnoreCase(httpRequest.getMethod())) {
            httpResponse.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
            logger.info("trace 拦截执行");
            return;
        }
        logger.info("拦截器结束-----");
        chain.doFilter(request, response);
    }

    @Override
    public void destroy() {

    }
}

启动类增加配置如下：

@ServletComponentScan
public class CooperativeApplication {
    public static void main(String[] args) {
        SpringApplication.run(CooperativeApplication.class, args);
    }
  }

测试方法

使用curl测试,没有禁用trace的返回内容：

curl -v -X TRACE http://127.0.0.1:8396
*   Trying 127.0.0.1:8396...
* Connected to 127.0.0.1 (127.0.0.1) port 8396 (#0)
> TRACE / HTTP/1.1
> Host: 127.0.0.1:8396
> User-Agent: curl/7.77.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Type: message/http
< Content-Length: 178
< Connection: Keep-alive
< Via: 1.1 ID-0002262070652452 uproxy-8
<
TRACE / HTTP/1.1
User-Agent: curl/7.77.0
Connection: keep-alive
X-Forwarded-For: 10.152.22.244
Host: 127.0.0.1:8396
Accept: */*
Via: 1.1 ID-0002262070652452 uproxy-8
* Connection #0 to host 127.0.0.1 left intact

禁用trace方法之后的返回:

curl -v -X TRACE http://127.0.0.1:8392
*   Trying 127.0.0.1:8392...
* Connected to 127.0.0.1 (127.0.0.1) port 8392 (#0)
> TRACE / HTTP/1.1
> Host: 127.0.0.1:8392
> User-Agent: curl/7.77.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 405 Method Not Allowed
< Content-Length: 0
<
* Connection #0 to host 127.0.0.1 left intact