Tomcat - Disable HTTP method
The way is very simple, if you want to disable HTTP methods for all applications on this Tomcat Add the following at conf/web.xml
Our requirement is to disable DELETE and OPTIONS methods
<security-constraint> <web-resource-collection> <web-resource-name>restricted methods</web-resource-name> <url-pattern>/*</url-pattern> <http-method>DELETE</http-method> <http-method>OPTIONS</http-method> </web-resource-collection> <auth-constraint /> </security-constraint>
How to verify it is working?
curl -v -X OPTIONS https://xxxx.pprd.xxxx.edu:5678/homepage.htm
For OPTIONS:
The left side, port 5678, DELETE is disabled on this Tomcat, we received a message that:
HTTP Status 403 – Forbidden
The right side, port 8441, DELETE is not disabled, all allowed method will be listed there:
Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS
For DELETE:
The left side, port 5678, DELETE is disabled on this Tomcat, we received a message that:
Access to the requested resource has been denied
The right side, port 8441, DELETE is not disabled
The server understood the request but refuses to authorize it.