【安全加固】Tomcat限制不安全的HTTP方法

默认Tomcat是禁止PUT和DELETE方法的,在tomcat中conf下的web.xml中:
可以看到关于readonly的解释
Is this context “read only”, so HTTP commands like PUT and DELETE are rejected?  [true]
可以看到默认是True,即不允许delete和put操作,会返回403。

如果不想限制的话,可以在Tomcat的web.xml 文件中配置org.apache.catalina.servlets.DefaultServlet的初始化参数中添加
<init-param>
<param-name>readonly</param-name>
<param-value>false</param-value>
</init-param>

另外还可以修改应用中的web.xml
<?xml version=”1.0″ encoding=”UTF-8″?>
<web-app xmlns=”http://Java.sun.com/xml/ns/j2ee”
xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”
xsi:schemaLocation=”http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd”
version=”2.4″>
的下面添加
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>