remove unsafe HTTP verbs such as OPTIONS

Question

I want to remove unsafe HTTP verbs such as OPTIONS. My application is using jsp, servlet. I tried using bellow in my web.xml. But, I could not find any solution. Could you please help me to solve.

<security-constraint>
        <web-resource-collection>
            <web-resource-name>NASApp</web-resource-name>
            <description>Security constraint for SIS</description>
            <url-pattern>/unchecked/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>HEAD</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
    </security-constraint>

Answer 1

The following example, from http://www.techstacks.com/howto/disable-http-methods-in-tomcat.html , shows how to disable all methods except for HEAD and GET

 <security-constraint>
 <web-resource-collection>
     <web-resource-name><strong>restricted methods</strong></web-resource-name>
     <url-pattern>/*</url-pattern>
     <http-method>PUT</http-method>
     <http-method>POST</http-method>
     <http-method>DELETE</http-method>
     <http-method>OPTIONS</http-method>
     <http-method>TRACE</http-method>
 </web-resource-collection>
 <auth-constraint />
 </security-constraint>

So in you case, you would exclude only the verbs you want to allow.

Note also the url-pattern pattern of * to match all URLs.