@websec007
2018-03-29T21:33:05.000000Z
字数 2794
阅读 3642
未分类
Tomcat 默认是禁用了http 的PUT & DELETE 方法的,主要通过初始化变量"read-only"来实现,其默认值是"true"即不允许使用PUT & DELETE方法的。(默认没有任何关于 read-only的配置即表示不支持PUT & DELETE方法)
测试版本:7.0.11 、8.5.16
测试默认安装的 Tomcat 其关于 PUT & DELETE请求方法的开启情况。
C:\Users\admin>curl -v -X PUT -d "123" http://127.0.0.1:8080/2.txt
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> PUT /2.txt HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.57.0
> Accept: */*
> Content-Length: 3
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 3 out of 3 bytes
< HTTP/1.1 404 Not Found
< Content-Type: text/html;charset=utf-8
< Content-Length: 952
< Date: Wed, 14 Mar 2018 09:58:01 GMT
< Server: Response_Server_Tag
在 中添加初始化变量 "readonly" 并赋值为"false"。
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
<!--第一步:添加初始化参数 readonly 为 false -->
<init-param>
<param-name>readonly</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
注:设置完参数后,需要重启tomcat,配置才能正式生效,请注意。
C:\Users\admin>curl -v -X PUT -d "123" http://127.0.0.1:8080/2.txt
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> PUT /2.txt HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.57.0
> Accept: */*
> Content-Length: 3
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 3 out of 3 bytes
< HTTP/1.1 201 Created
< Content-Length: 0
< Date: Wed, 14 Mar 2018 10:06:14 GMT
< Server: Response_Server_Tag
<
* Connection #0 to host 127.0.0.1 left intact
C:\Users\admin>curl -v -X DELETE http://127.0.0.1:8080/2.txt
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> DELETE /2.txt HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.57.0
> Accept: */*
>
< HTTP/1.1 204 No Content
< Date: Wed, 14 Mar 2018 10:06:24 GMT
< Server: Response_Server_Tag
<
* Connection #0 to host 127.0.0.1 left intact
# 根目录随便带一个参数的测试结果:直接显示服务仍然是开启各种http请求方法的。
C:\Users\admin>curl -I -X OPTIONS http://127.0.0.1:8080/1
HTTP/1.1 200 OK
Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS
Content-Length: 0
Date: Wed, 14 Mar 2018 10:17:32 GMT
Server: Response_Server_Tag
# 直接测试根目录的测试结果:直接使用根目录进行请求测试的结果是没有任何http方法返回。
C:\Users\admin>curl -I -X OPTIONS http://127.0.0.1:8080/
HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=6A749C6343017BDEE08EA135EF6FA352; Path=/; HttpOnly
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Wed, 14 Mar 2018 10:17:47 GMT
Server: Response_Server_Tag
测试结果
原因查找