在Spring启动应用程序中禁用HTTP OPTIONS方法

以前的答案仅针对tomcat，所以也加入我的。 您可以通过使用标准servletfilter来禁用方法跨容器：

 import java.io.IOException; import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.springframework.stereotype.Component; import org.springframework.web.filter.OncePerRequestFilter; @Component public class MethodFilter extends OncePerRequestFilter { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { if (request.getMethod().equals("OPTIONS")) { response.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); } else { filterChain.doFilter(request, response); } } } 

注意：假设此类是Spring扫描的组件。 如果没有，您可以使用此处详述的其他注册方法。

我尝试了这个并且它有效。

 @Bean public EmbeddedServletContainerCustomizer containerCustomizer() { return new EmbeddedServletContainerCustomizer() { @Override public void customize(ConfigurableEmbeddedServletContainer container) { if (container.getClass().isAssignableFrom(TomcatEmbeddedServletContainerFactory.class)) { TomcatEmbeddedServletContainerFactory tomcatContainer = (TomcatEmbeddedServletContainerFactory) container; tomcatContainer.addContextCustomizers(new ContextSecurityCustomizer()); } } }; } private static class ContextSecurityCustomizer implements TomcatContextCustomizer { @Override public void customize(Context context) { SecurityConstraint constraint = new SecurityConstraint(); SecurityCollection securityCollection = new SecurityCollection(); securityCollection.setName("restricted_methods"); securityCollection.addPattern("/*"); securityCollection.addMethod(HttpMethod.OPTIONS.toString()); constraint.addCollection(securityCollection); constraint.setAuthConstraint(true); context.addConstraint(constraint); } }