I want to remove unsafe HTTP verbs such as OPTIONS. My application is using jsp, servlet. I tried using bellow in my web.xml. But, I could not find any solution. Could you please help me to solve.
<security-constraint>
<web-resource-collection>
<web-resource-name>NASApp</web-resource-name>
<description>Security constraint for SIS</description>
<url-pattern>/unchecked/*</url-pattern>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>
The following example, from http://www.techstacks.com/howto/disable-http-methods-in-tomcat.html , shows how to disable all methods except for HEAD and GET
<security-constraint>
<web-resource-collection>
<web-resource-name><strong>restricted methods</strong></web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
So in you case, you would exclude only the verbs you want to allow.
Note also the url-pattern pattern of * to match all URLs.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.