Tomcat - Disable HTTP method

The way is very simple, if you want to disable HTTP methods for all applications on this Tomcat Add the following at conf/web.xml

Our requirement is to disable DELETE and OPTIONS methods

<security-constraint>
  <web-resource-collection>
    <web-resource-name>restricted methods</web-resource-name>
    <url-pattern>/*</url-pattern>
    <http-method>DELETE</http-method>
    <http-method>OPTIONS</http-method>
  </web-resource-collection>
  <auth-constraint />
</security-constraint>

How to verify it is working?

curl -v -X OPTIONS https://xxxx.pprd.xxxx.edu:5678/homepage.htm

For OPTIONS: Capture1 The left side, port 5678, DELETE is disabled on this Tomcat, we received a message that:
HTTP Status 403 – Forbidden
The right side, port 8441, DELETE is not disabled, all allowed method will be listed there:
Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS

For DELETE: Capture The left side, port 5678, DELETE is disabled on this Tomcat, we received a message that:
Access to the requested resource has been denied
The right side, port 8441, DELETE is not disabled
The server understood the request but refuses to authorize it.

ORA-4031

A Chinese DBA in the United States

Tomcat - Disable HTTP method

About Me

Recent Posts

Categories

Tags

Blogroll

Archives