SpringBoot如何禁用Trace/Option请求

1. servlet中禁用

在org.springframework.web.servlet包中的doTrace方法中包含了处理trace请求的逻辑：

	/**
	 * Delegate TRACE requests to {@link #processRequest}, if desired.
	 * <p>Applies HttpServlet's standard TRACE processing otherwise.
	 * @see #doService
	 */
	@Override
	protected void doTrace(HttpServletRequest request, HttpServletResponse response)
			throws ServletException, IOException {

		if (this.dispatchTraceRequest) {
			processRequest(request, response);
			if ("message/http".equals(response.getContentType())) {
				// Proper TRACE response coming from a handler - we're done.
				return;
			}
		}
		super.doTrace(request, response);
	}

它根据this.dispatchTraceRequest变量去决定如何处理trace请求，在setDispatchTraceRequest的注释中解释了这个变量的作用：

	/**
	 * Set whether this servlet should dispatch an HTTP TRACE request to
	 * the {@link #doService} method.
	 * <p>Default is "false", applying {@link javax.servlet.http.HttpServlet}'s
	 * default behavior (i.e. reflecting the message received back to the client).
	 * <p>Turn this flag on if you prefer TRACE requests to go through the
	 * regular dispatching chain, just like other HTTP requests. This usually
	 * means that your controllers will receive those requests; make sure
	 * that those endpoints are actually able to handle a TRACE request.
	 * <p>Note that HttpServlet's default TRACE processing will be applied
	 * in any case if your controllers happen to not generate a response
	 * of content type 'message/http' (as required for a TRACE response).
	 */
	public void setDispatchTraceRequest(boolean dispatchTraceRequest) {
		this.dispatchTraceRequest = dispatchTraceRequest;
	}

意思是说把这个变量设置为true可以把trace请求当作普通的http请求去处理，否则就是按规范响应http trace请求。

所以，要修改禁用默认的trace响应方法可以有两种方式：

1. 重写DispatcherServlet的doTrace方法，参考：How can I disable HTTP TRACE in embedded untertow of a Spring boot application：

    @Component("dispatcherServlet")
    public class MyDispatcherServlet extends DispatcherServlet {

    @Override
    public void doTrace(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        processRequest(request, response);  // 这个会去找能处理Trace请求的controller，找不到就引发异常
        // 或者响应405异常 respone.setError(405); 
    }

}

2. 将dispatchTraceRequest变量设为true，效果与上面直接执行processRequest一致

@Component("dispatcherServlet")
public class MyDispatcherServlet extends DispatcherServlet {

    MyDispatcherServlet(){
        super();
        this.setDispatchTraceRequest(true);
    }

}

Option的禁用与Trace类似

2. 在Jetty层禁用

Tomcat没事过，按理说应该也是可行的

实现javax.servlet.annotation.WebFilter;类

@WebFilter(urlPatterns = "/*", filterName = "jettyFilter")
public class JettyFilter implements Filter {


    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest httpRequest = (HttpServletRequest) request;
        if ("TRACE".equalsIgnoreCase(httpRequest.getMethod())) {
            ((HttpServletResponse) response).sendStatus(405);
            return;
        }
        chain.doFilter(request, response);
    }

    @Override
    public void destroy() {
    }
}

然后在主函数中写上：@ServletComponentScan()注解。
这部分来源参考自：https://blog.csdn.net/qq_33479841/article/details/109769790