I want to disable the Trace verb on the serve so that endpoints are untraceable.
My endpoints are created using Spring MVC and there is a option endpoints.trace.enabled=false.
Pain is how to test this, if trace is disabled or not. I tried chrome plug-ins live HTTP Headers but it for generic site. I want to check my endpoint.
For example:
curl --insecure -v -X TRACE -H http://localhost:8080/toy/49f6a7d3-eb20-3ab2-be3b-8399e7f28abf
HTTP/1.1 200 OK
< Date: Sat, 21 Mar 2015 04:34:03 GMT
< Content-Type: message/http; charset=UTF-8
< Content-Length: 270
<
TRACE /toy/49f6a7d3-eb20-3ab2-be3b-8399e7f28abf HTTP/1.1
User-Agent: curl/7.37.1
Host: localhost:8080
Accept: */*
* Connection #0 to host localhost left intact
I tried below but now it denies all the request.
@Configuration
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(securedEnabled=true, prePostEnabled = true, jsr250Enabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requestMatchers()
.and()
.csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.TRACE, "/**").denyAll();
}
}
Aucun commentaire:
Enregistrer un commentaire