[关闭]
@websec007 2018-03-29T21:33:05.000000Z 字数 2794 阅读 3642

Tomcat 启用/禁用PUT & DELETE

未分类


一、Tomcat 默认配置测试

Tomcat 默认是禁用了http 的PUT & DELETE 方法的,主要通过初始化变量"read-only"来实现,其默认值是"true"即不允许使用PUT & DELETE方法的。(默认没有任何关于 read-only的配置即表示不支持PUT & DELETE方法)

1.1 测试版本信息

测试版本:7.0.11 、8.5.16

1.2 默认PUT 与 DELETE 开启情况

测试默认安装的 Tomcat 其关于 PUT & DELETE请求方法的开启情况。

  1. C:\Users\admin>curl -v -X PUT -d "123" http://127.0.0.1:8080/2.txt
  2. * Trying 127.0.0.1...
  3. * TCP_NODELAY set
  4. * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
  5. > PUT /2.txt HTTP/1.1
  6. > Host: 127.0.0.1:8080
  7. > User-Agent: curl/7.57.0
  8. > Accept: */*
  9. > Content-Length: 3
  10. > Content-Type: application/x-www-form-urlencoded
  11. >
  12. * upload completely sent off: 3 out of 3 bytes
  13. < HTTP/1.1 404 Not Found
  14. < Content-Type: text/html;charset=utf-8
  15. < Content-Length: 952
  16. < Date: Wed, 14 Mar 2018 09:58:01 GMT
  17. < Server: Response_Server_Tag

二、开启 PUT & DLETE 测试

2.1 编辑"readonly"测试

(1) 设置 readonly 为false

在 中添加初始化变量 "readonly" 并赋值为"false"。

  1. <servlet>
  2. <servlet-name>default</servlet-name>
  3. <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
  4. <init-param>
  5. <param-name>debug</param-name>
  6. <param-value>0</param-value>
  7. </init-param>
  8. <init-param>
  9. <param-name>listings</param-name>
  10. <param-value>false</param-value>
  11. </init-param>
  12. <!--第一步:添加初始化参数 readonly 为 false -->
  13. <init-param>
  14. <param-name>readonly</param-name>
  15. <param-value>false</param-value>
  16. </init-param>
  17. <load-on-startup>1</load-on-startup>
  18. </servlet>

注:设置完参数后,需要重启tomcat,配置才能正式生效,请注意。

(2) 测试PUT & DELETE

  1. C:\Users\admin>curl -v -X PUT -d "123" http://127.0.0.1:8080/2.txt
  2. * Trying 127.0.0.1...
  3. * TCP_NODELAY set
  4. * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
  5. > PUT /2.txt HTTP/1.1
  6. > Host: 127.0.0.1:8080
  7. > User-Agent: curl/7.57.0
  8. > Accept: */*
  9. > Content-Length: 3
  10. > Content-Type: application/x-www-form-urlencoded
  11. >
  12. * upload completely sent off: 3 out of 3 bytes
  13. < HTTP/1.1 201 Created
  14. < Content-Length: 0
  15. < Date: Wed, 14 Mar 2018 10:06:14 GMT
  16. < Server: Response_Server_Tag
  17. <
  18. * Connection #0 to host 127.0.0.1 left intact
  19. C:\Users\admin>curl -v -X DELETE http://127.0.0.1:8080/2.txt
  20. * Trying 127.0.0.1...
  21. * TCP_NODELAY set
  22. * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
  23. > DELETE /2.txt HTTP/1.1
  24. > Host: 127.0.0.1:8080
  25. > User-Agent: curl/7.57.0
  26. > Accept: */*
  27. >
  28. < HTTP/1.1 204 No Content
  29. < Date: Wed, 14 Mar 2018 10:06:24 GMT
  30. < Server: Response_Server_Tag
  31. <
  32. * Connection #0 to host 127.0.0.1 left intact

(3) 测试 OPTIONS 操作

  1. # 根目录随便带一个参数的测试结果:直接显示服务仍然是开启各种http请求方法的。
  2. C:\Users\admin>curl -I -X OPTIONS http://127.0.0.1:8080/1
  3. HTTP/1.1 200 OK
  4. Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS
  5. Content-Length: 0
  6. Date: Wed, 14 Mar 2018 10:17:32 GMT
  7. Server: Response_Server_Tag
  8. # 直接测试根目录的测试结果:直接使用根目录进行请求测试的结果是没有任何http方法返回。
  9. C:\Users\admin>curl -I -X OPTIONS http://127.0.0.1:8080/
  10. HTTP/1.1 200 OK
  11. Set-Cookie: JSESSIONID=6A749C6343017BDEE08EA135EF6FA352; Path=/; HttpOnly
  12. Content-Type: text/html;charset=ISO-8859-1
  13. Transfer-Encoding: chunked
  14. Date: Wed, 14 Mar 2018 10:17:47 GMT
  15. Server: Response_Server_Tag
添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注