Springboot报这个错
我们这边的要求是不能返回错误日志和Tomcat版本,属于信息泄露
html
<!doctype html>
<html lang="en">
<head>
<title>HTTP Status 400 鈥?Bad Request</title>
<style type="text/css">
body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}
</style>
</head>
<body>
<h1>HTTP Status 400 鈥?Bad Request</h1>
<hr class="line" />
<p>
<b>Type</b> Exception Report
</p>
<p>
<b>Message</b> Invalid character found in the request target [/api/sys/permission/getPermCode<[] ]. The valid characters are defined in RFC 7230 and RFC 3986
</p>
<p>
<b>Description</b> The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).
</p>
<p>
<b>Exception</b>
</p>
<pre>java.lang.IllegalArgumentException: Invalid character found in the request target [/api/sys/permission/getPermCode<[] ]. The valid characters are defined in RFC 7230 and RFC 3986
org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:490)
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:262)
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:926)
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1791)
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
java.lang.Thread.run(Thread.java:750)
</pre>
<p>
<b>Note</b> The full stack trace of the root cause is available in the server logs.
</p>
<hr class="line" />
<h3>Apache Tomcat/9.0.73</h3>
</body>
</html>在nginx的location加了以下配置
XML
set $invalid_uri 0;
if ($request_uri ~ '[<>&?#!^%]$') {
set $invalid_uri 1;
}
f ($invalid_uri) {
return 407;
} 通过nginx访问可以限制了,但是他们测试还要通过服务端ip直接调用服务端,所以还得改后端代码
尝试了的办法
拦截器、过滤器、aop、集成ErrorController、全局异常捕获器,都拦截不到这个错误
通过网上搜索和捋代码,发现是tomcat解析url的时候报错的,还没有走到后面,所以上面那些都捕获不到这个异常
又试了加400.html也不好使
又看到网上有的说可以降低tomcat版本解决这个问题,进行尝试后发现 降低tomcat版本后,启动项目springboot报错,不兼容,又降低springboot版本后,发现mybatis又报错。。。不知道是否还有别的兼容问题(因为springboot版本得降到1.x版本的),所以放弃了这个办法
又试了这个办法,也不好使
java
@Configuration
public class TomcatFactoryConfig {
@Bean
public TomcatServletWebServerFactory tomcatFactory() {
TomcatServletWebServerFactory factory = new TomcatServletWebServerFactory() {
@Override
protected void postProcessContext(Context context) {
((StandardJarScanner) context.getJarScanner()).setScanManifest(false);
}
};
factory.addConnectorCustomizers(connector -> {
connector.setProperty("relaxedPathChars", "\"<>[\\]^`{|}");
connector.setProperty("relaxedQueryChars", "\"<>[\\]^`{|}");
});
return factory;
}
}然后想着改源码吧,根据错误日志找到了报错的地方,把代码粘贴出来把报错那行注释了, 结果发现又报了别的错,还是有tomcat版本信息,然后debug,找到了源码中输出返回的地方,改成了我自己定义的json, 这样确实会返回我定义的json,没有tomcat版本了, 但是还有一个问题就是,我想加一个判断 如果是这个问题的报错,我就返回我定义的json, 但是看到那个Response里面一堆对象,很多对象里面都是套了好多层,我找不到怎么判断是不是这个错误的办法
不知道该怎么办了,迷茫中想着捋捋配置文件吧,看到几个参数
XML
server:
error:
include-exception: true
include-stacktrace: ALWAYS
include-message: ALWAYS不知道是干啥的,死马当活马医,搜了搜是干啥的
看着可能有点关系,然后改了一下,改成了
XML
server:
error:
include-exception: false
include-stacktrace: never
include-message: never结果重启后,好了,没有tomcat版本信息了
html
<!doctype html>
<html lang="en">
<head>
<title>HTTP Status 400 鈥?Bad Request</title>
<style type="text/css">
body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}
</style>
</head>
<body>
<h1>HTTP Status 400 鈥?Bad Request</h1>
</body>
</html>