views:

4672

answers:

3

I need to disable PUT, DELETE & TRACE HTTP requests on my Application Server, Apache Tomcat 6.0.

All other sources, i have searched till now, have directed me towards the limit parameter in httpd.conf, Hence I'd put it before-hand that I am not using Apache Web Server, and requests are directly being handled by Tomcat, and so there is no httpd.conf in picture.

Please suggest how should I do it on Tomcat?

+6  A: 

Inside your WEBINF, add you can add a security constraint:

<security-constraint>
     <web-resource-collection>
          <web-resource-name>Forbidden</web-resource-name>
          <url-pattern>/blah/*</url-pattern>
          <http-method>PUT</http-method>
          <http-method>DELETE</http-method>
          <http-method>TRACE</http-method>
     </web-resource-collection>
     <auth-constraint>
          <role-name>empty_role</role-name>
     </auth-constraint>
</security-constraint>

Alternatively, you can do these two things:

In server.xml, edit the <connector> element, add an attribute: allowTrace="false". Then edit the DefaultServlet: $CATALINA_HOME/conf/web.xml

     <servlet>
        <servlet-name>default</servlet-name>
        <servlet-class>
          org.apache.catalina.servlets.DefaultServlet
        </servlet-class>
<!-- blah blah blah -->
        <init-param>
            <param-name>readonly</param-name>
            <param-value>true</param-value>
        </init-param>
    </servlet>
James Schek
Thanks James, What should be the <url-pattern>, in case I'm adding it to server's web.inf instead of app's web.inf? (WEBROOT\conf\web.xml)
Mohit Nanda
A wildcard such as '/*' should work, I think.
James Schek
+1  A: 

The answer lies in the servlet specification. In looking at the API for the servlet: http://java.sun.com/products/servlet/2.5/docs/servlet-2_5-mr2/javax/servlet/http/HttpServlet.html you'll see that different methods handle different kind of HTTP requests. Also, there is a great feature called filters that can be used to wrap some code around servlets and filters.

So the solutions are:

  • Modify the servlet to only support do and get; or
  • Create a filter to clear those other kind of requests.
Loki
Modifying the servlets is a dicey proposition at best. It may not be possible to modify a framework override the doPut, doDelete, etc. Plus, it requires *every* servlet be modified which is error-prone process. The filter is probably a better approach and provides the most control.
James Schek
A: 

The solution is excellent

pushpendra