Spring Boot: enable HTTP TRACE method for embedded Tomcat

Question

Standalone Tomcat allows you to enable TRACE HTTP method through allowTrace attribute:

allowTrace - A boolean value which can be used to enable or disable the TRACE HTTP method. If not specified, this attribute is set to false.

If I have to do that same for a Spring Boot project using embedded Tomcat - what kind of config/properties setting I can use for that?

I have looked for the properties supported by Spring Boot for Tomcat server:

but it seems to be not listed. Any thoughts how to achieve this.

Answer 1

You can configure Connector.allowTrace property programmatically. In this case you have to define bean for class EmbeddedServletContainerFactory and add connector customizer by calling TomcatEmbeddedServletContainerFactory.addConnectorCustomizers(...) method. It allows you to access Connector object and call any configuration method you need. In this case we simply call connector.setAllowTrace(true):

import org.springframework.boot.context.embedded.EmbeddedServletContainerFactory;
import org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class TomcatConfiguration {

    @Bean
    public EmbeddedServletContainerFactory embeddedServletContainerFactory() {
        TomcatEmbeddedServletContainerFactory factory = new TomcatEmbeddedServletContainerFactory();

        factory.addConnectorCustomizers(connector -> {
            connector.setAllowTrace(true);
        });
        return factory;
    }
}

You can configure this bean in a separate configuration class (like in the example above) or you can simply add this bean method to your main Spring Boot application class.

Couldn't it be done with server.tomcat.* like property?

At this moment - nope. Current Spring Boot version (1.5.9-RELEASE) does not allow to set it up with a simple property. All properties with server.tomcat prefix are mapped automatically to class org.springframework.boot.autoconfigure.web.ServerProperties.Tomcat. If you take a look at its javadocs (or source code in your IDE) you will see that there is no method like setAllowTrace(boolean value) or something like that.

Answer 2

The solution above only works for Spring Boot 1. For Spring Boot 2 the following works:

    @Bean
    public WebServerFactoryCustomizer<TomcatServletWebServerFactory> tomcatCustomizer() {
        return customizer -> customizer.addConnectorCustomizers(connector -> {
            connector.setAllowTrace(true);
        });
    }

If you want to apply if on the managemant port you need to create a configuration class that looks something like this:

@ManagementContextConfiguration
public class ManagementInterfaceConfiguration {

    @Bean
    public WebServerFactoryCustomizer<TomcatServletWebServerFactory> tomcatCustomizer() {
        return customizer -> customizer.addConnectorCustomizers(connector -> {
            connector.setAllowTrace(true);
        });
    }

}

and a resource (=on the classpath) in META-INF/spring.factories that picks it up:

org.springframework.boot.actuate.autoconfigure.web.ManagementContextConfiguration=\
com.package.ManagementInterfaceConfiguration

Answer 3

If you want to enable TRACE Http Method you can extend WebSecurityConfigurerAdapter like this:

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

@Bean
public HttpFirewall configureFirewall() {
    StrictHttpFirewall strictHttpFirewall = new StrictHttpFirewall();
    strictHttpFirewall
      .setAllowedHttpMethods(Arrays.asList("GET","POST","PUT","DELETE","OPTIONS","TRACE"));
    return strictHttpFirewall;
}
}