验证方式:curl -v -X TRACE ip:port,或使用其他接口调试工具如Postman
响应:状态行405 Method Not Allowed且响应体无内容
方案一:使用过滤器
若webserver是tomcat, 添加过滤器的方式有很多
@Component
public class TraceHttpMethodFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
if (HttpMethod.TRACE.matches(request.getMethod())) {
response.setStatus(HttpStatus.METHOD_NOT_ALLOWED.value());
return;
}
filterChain.doFilter(request, response);
}
}
若是springcloud gateway,其使用Netty作为webserver
@Component
public class GatewayTraceHttpMethodFilter implements WebFilter, Ordered {
@Override
public int getOrder() {
return HIGHEST_PRECEDENCE;
}
@Override
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
if (HttpMethod.TRACE == exchange.getRequest().getMethod()) {
var response = exchange.getResponse();
response.setStatusCode(HttpStatus.METHOD_NOT_ALLOWED);
return response.setComplete();
}
return chain.filter(exchange);
}
}
方案二:自定义WebServerFactory配置
若WebServer是Undertow
@Configuration
public class UndertowWebServerFactoryConfig implements WebServerFactoryCustomizer<UndertowServletWebServerFactory> {
@Override
public void customize(UndertowServletWebServerFactory factory) {
factory.addDeploymentInfoCustomizers(deploymentInfo -> {
deploymentInfo.addInitialHandlerChainWrapper(httpHandler -> {
HttpString[] disAllowedHttpMethods = {HttpString.tryFromString(HttpMethod.TRACE.name())};
return new DisallowedMethodsHandler(httpHandler, disAllowedHttpMethods);
});
});
}
}
