Disabling PUT TRACE DELETE request in Apache Tomcat 6.0
I need to disable PUT, DELETE & TRACE HTTP requests on my Application Server, Apache Tomcat 6.0.
All other sources, i have searched till now, have directed me towards the limit parameter in httpd.conf, Hence I'd put it before-hand that I am not using Apache Web Server, and requests are directly being handled by Tomcat, and so there is no httpd.conf in picture.
Please suggest how should I do it on Tomcat?
Inside your WEBINF, add you can add a security constraint:
<security-constraint> <web-resource-collection> <web-resource-name>Forbidden</web-resource-name> <url-pattern>/blah/*</url-pattern> <http-method>PUT</http-method> <http-method>DELETE</http-method> <http-method>TRACE</http-method> </web-resource-collection> <auth-constraint> <role-name>empty_role</role-name> </auth-constraint> </security-constraint>
Alternatively, you can do these two things:
In server.xml, edit the <connector> element, add an attribute: allowTrace="false". Then edit the DefaultServlet: $CATALINA_HOME/conf/web.xml
<servlet> <servlet-name>default</servlet-name> <servlet-class> org.apache.catalina.servlets.DefaultServlet </servlet-class> <!-- blah blah blah --> <init-param> <param-name>readonly</param-name> <param-value>true</param-value> </init-param> </servlet>
The answer lies in the servlet specification. In looking at the API for the servlet: http://java.sun.com/products/servlet/2.5/docs/servlet-2_5-mr2/javax/servlet/http/HttpServlet.html you'll see that different methods handle different kind of HTTP requests. Also, there is a great feature called filters that can be used to wrap some code around servlets and filters.
So the solutions are:
- Modify the servlet to only support do and get; or
- Create a filter to clear those other kind of requests.