20180206
mtn现场反馈,put请求报403Forbidden错误。
遇到这个问题,想到的是tomcat可能对put做了限制,查看tomcat/conf/web.xml
<!-- readonly Is this context "read only", so HTTP -->
<!-- commands like PUT and DELETE are -->
<!-- rejected? [true] -->
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>readonly</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
查看下org.apache.catalina.servlets.DefaultServlet,可以看到readOnly默认为true,即默认put请求和delete请求是没有权限的;如果需要放开权限,需要向上面配置中的设置readonly=false.
/**
* Read only flag. By default, it's set to true.
*/
protected boolean readOnly = true;
if (getServletConfig().getInitParameter("readonly") != null)
readOnly = Boolean.parseBoolean(getServletConfig().getInitParameter("readonly"));
/**
* Process a PUT request for the specified resource.
*
* @param req The servlet request we are processing
* @param resp The servlet response we are creating
*
* @exception IOException if an input/output error occurs
* @exception ServletException if a servlet-specified error occurs
*/
@Override
protected void doPut(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
if (readOnly) {
resp.sendError(HttpServletResponse.SC_FORBIDDEN);
return;
}
......
}
/**
* Process a DELETE request for the specified resource.
*
* @param req The servlet request we are processing
* @param resp The servlet response we are creating
*
* @exception IOException if an input/output error occurs
* @exception ServletException if a servlet-specified error occurs
*/
@Override
protected void doDelete(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
if (readOnly) {
resp.sendError(HttpServletResponse.SC_FORBIDDEN);
return;
}
......
}
mtn在web.xml里配置了readonly=false,但是现场反馈依旧是403;于是检查现场的web.xml,发现现场做了如下配置:
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
这是因为考虑到tomcat7的漏洞,所以集成要求添加以上配置,对put和delete请求禁用了。
tomcat的漏洞参考文档:https://www.waitalone.cn/tomcat-cve-2017-12615.html
参考文档:
tomcat的漏洞:https://www.waitalone.cn/tomcat-cve-2017-12615.html
web.xml中<security-constraint>和四种认证类型:http://blog.csdn.net/lisheng19870305/article/details/40819481
Tomcat漏洞之——通过PUT远程代码执行:http://blog.csdn.net/u011499747/article/details/78108240
java中rest接口不支持put方法:https://www.cnblogs.com/91Winner/p/5717507.html