上傳時發送文件至TOMCAT出現UniformInterfaceException

1. 出錯的信息描述

HTTP Status 500 – Internal Server Error

MESSAGE :
Request processing failed; nested exception is com.sun.jersey.api.client.UniformInterfaceException: PUT http://localhost:9090/uploads/91e5118e60924b21bd48a9ed19ab91ff_girl8.jpg returned a response status of 405 Method Not Allowed

Description :
The server encountered an unexpected condition that prevented it from fulfilling the request.

Exception :

org.springframework.web.util.NestedServletException: Request processing failed; nested exception is com.sun.jersey.api.client.UniformInterfaceException: PUT http://localhost:9090/uploads/91e5118e60924b21bd48a9ed19ab91ff\_girl8.jpg returned a response status of 405 Method Not Allowed
    org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:986)
    org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:881)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
    org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:855)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
    org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
    org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200)
    org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

2. 出錯的Project描述

使用的IDE: IDEA 2019-02
充當上傳文件的Project hierarchy(Client):

接收文件的Project hierarchy(Server):

3. springmvc fileupload源碼

controller

/**
     * 跨服務器文件上傳
     * @return success
     */
    @RequestMapping("/fileupload3")
    public String fileupload3(MultipartFile upload) throws Exception {
        System.out.println("service id doing...");

        // 定義上傳文件服務器路徑
        String path = "http://localhost:9090/uploads/";

        // 說明上傳文件項
        // 獲取上傳文件的名稱
        String filename = upload.getOriginalFilename();
        // 把文件的名稱設置惟一值，uuid
        String uuid = UUID.randomUUID().toString().replace("-", "");
        filename = uuid+"_"+filename;

        // 建立客戶端的對象
        Client client = Client.create();

        // 和圖片服務器進行鏈接
        WebResource webResource = client.resource(path+filename);

        // 上傳文件
        webResource.put(upload.getBytes());

        return "success";
    }

index.jsp

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
    <title>文件上傳</title>
</head>
<body>
    <form action="user/fileupload1" method="post" enctype="multipart/form-data">
        傳統方式的文件上傳:<input type="file" name="upload">
        <br>
        <input type="submit" value="上載">
    </form>

<hr>
    <form action="user/fileupload2" method="post" enctype="multipart/form-data">
        SpringMVC方式的文件上傳:<input type="file" name="upload">
        <br>
        <input type="submit" value="上載">
    </form>

<hr>

    <form action="user/fileupload3" method="post" enctype="multipart/form-data">
        跨服務器的文件上傳:<input type="file" name="upload">
        <br>
        <input type="submit" value="上載">
    </form>
</body>
</html>

4. 出錯分析

從 "1.出錯的信息描述" 能夠知道咱們的錯誤在於PUT請求被用於接收文件的TOMCAT拒絕了。

請查看Apache Tomcat 9 (9.0.30) - Default Servlet Reference。咱們須要注意到如下信息：

4.1 webapp啓動後default servlet會加載

So by default, the default servlet is loaded at webapp startup and directory listings are disabled and debugging is turned off.

4.2 DefaultServlet的initParameters中readonly默認爲true

如下爲readonly property的描述

Is this context "read only", so HTTP commands like PUT and DELETE are rejected? [true]

這意味着接收文件的TOMCAT默認加載DefaultServlet後，默認拒絕接收PUT和DELETE請求。所以咱們須要改變initParameters中的readonly = false。

關於爲何readonly默認爲true這一點，你能夠先看看TOMCAT對於把readonly設置爲false持有什麼樣的見解，如下爲參考連接:
Apache Tomcat RCE if readonly set to false (CVE-2017-12617) - Alphabot Security

The Apache Tomcat team announced today that all Tomcat versions before 9.0.1 (Beta), 8.5.23, 8.0.47 and 7.0.82 contain a potentially dangerous remote code execution (RCE) vulnerability on all operating systems if the default servlet is configuredwith the parameter readonly set to false or the WebDAV servlet is enabled with the parameter readonly set to false. This configuration would allow any unauthenticated user to upload files (as used in WebDAV). It was discovered that the filter that prevents the uploading of JavaServer Pages (.jsp) can be circumvented. So JSPs can be uploaded, which then can be executed on the server.

Now since this feature is typically not wanted, most publicly exposed system won’t have readonly set to false.

不難推斷出TOMCAT考慮到安全性，默認關閉了TOMCAT的PUT和DELETE請求(即readonly = true)。

5. 解決方法

根據 "4.出錯分析" 能夠知道咱們須要修改web.xml文件的readonly參數。
咱們須要在DefaultServlet的init-param中添加readonly爲false（若是你的配置文件沒有readonly,那麼你須要手動添加readonly=false）

<servlet>
        <servlet-name>default</servlet-name>
        <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
        <init-param>
            <param-name>debug</param-name>
            <param-value>0</param-value>
        </init-param>
        <init-param>
            <param-name>listings</param-name>
            <param-value>false</param-value>
        </init-param>
        <init-param>
            <param-name>readonly</param-name>
            <param-value>false</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>

啓動兩個TOMCAT，如今展現效果

index.jsp(Client端):