英文:
How to disable or remove Allow response header from OPTIONS?
问题
我有一个SecurityConfig类,我已经添加了禁用标头的代码,但我想禁用'Allow'响应标头。我尝试了许多不同的方法,但没有成功。如何添加自定义标头以进行禁用?
@Configuration
@Slf4j
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests().anyRequest().authenticated()
.and()
.headers().xssProtection().disable()
.and().headers().frameOptions().disable()
.and().headers().contentTypeOptions().disable()
.and().headers().disable()
.httpBasic();
}
}
RestController
@RequestMapping(value = Constants.API_BASE_MAPPING + Constants.API_EVENT, method = RequestMethod.OPTIONS)
public ResponseEntity<?> publishEventMessage() {
return getResponseEntity();
}
private ResponseEntity<?> getResponseEntity() {
return ResponseEntity
.ok().contentType(MediaType.APPLICATION_JSON)
.allow() // 想要移除这个
.build();
}
以下是来自我的OPTIONS API调用的响应标头:
英文:
I have SecurityConfig class and I have added code to disable headers but I want to disable the 'Allow' response header. I have tried many different ways but no luck. How to add a custom header to disable?
@Configuration
@Slf4j
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception
{
http.csrf().disable()
.authorizeRequests().anyRequest().authenticated()
.and()
.headers().xssProtection().disable()
.and().headers().frameOptions().disable()
.and().headers().contentTypeOptions().disable()
.and().headers().disable()
.httpBasic();
}
}
Rest Controller
{
@RequestMapping(value = Constants.API_BASE_MAPPING + Constants.API_EVENT, method = RequestMethod.OPTIONS)
public ResponseEntity<?> publishEventMessage() {
return getResponseEntity();
}
private ResponseEntity<?> getResponseEntity() {
return ResponseEntity
.ok().contentType(MediaType.APPLICATION_JSON)
.allow() // want to remove this
.build();
}
}
Below is the response header from my OPTIONS API call
答案1
得分: 2
如果您想在控制器的特定方法中设置一个空的“Allow Header”响应,您可以使用:
return ResponseEntity
.ok().contentType(MediaType.APPLICATION_JSON)
.header("Allow", "")
.build();
此外,您可以通过在安全配置中添加以下内容来禁用特定路径上的“OPTIONS”HTTP方法:
.antMatchers(HttpMethod.OPTIONS, "path/to/deny").denyAll()
设置头后无法删除头。一个可能的解决方案是通过创建一个过滤器来跳过设置头部:
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
chain.doFilter(request, new HttpServletResponseWrapper((HttpServletResponse) response) {
public void setHeader(String name, String value) {
if (!name.equalsIgnoreCase("Allow")) {
super.setHeader(name, value);
}
}
});
}
基于此链接:https://stackoverflow.com/a/7895292/3713193
如何在Spring Boot中定义过滤器:https://www.baeldung.com/spring-boot-add-filter
英文:
If you want to set an empty Allow Header response in a particular method in your controller, you can use:
return ResponseEntity
.ok().contentType(MediaType.APPLICATION_JSON)
.header("Allow", "")
.build();
Also, you can disable the OPTIONS http method for a certain path in your security configuration adding:
.antMatchers(HttpMethod.OPTIONS,"path/to/deny").denyAll()
You can't delete headers after being set. One possible solution is prevent that by creating a Filter which skips the setHeader.
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
chain.doFilter(request, new HttpServletResponseWrapper((HttpServletResponse) response) {
public void setHeader(String name, String value) {
if (!name.equalsIgnoreCase("Allow")) {
super.setHeader(name, value);
}
}
});
}
Based on this: https://stackoverflow.com/a/7895292/3713193
How to define a filter in Spring Boot: https://www.baeldung.com/spring-boot-add-filter
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论