Tomcat 6.0.24

szboardstretcher · 11-29-2011, 11:11 AM

I have tried these methods, and NONE of them work. (Found with google: "Tomcat 6" disable delete put)

Quote:

http://stackoverflow.com/questions/3...che-tomcat-6-0
http://blog.smoothdesigners.com/?p=175
http://www.coderanch.com/t/421348/To...-TRACE-OPTIONS
http://www.techstacks.com/howto/disa...in-tomcat.html
http://old.nabble.com/How2-Disable-P...d22786288.html
http://basilabbas.blogspot.com/2011/...ptions-in.html
http://www.webhostingtalk.com/showthread.php?t=461915
https://community.emc.com/thread/119528

Could anyone tell me what to put into conf/web.xml, or give me other exact steps, to *actually* disable DELETE, OPTIONS and PUT on Tomcat 6.0.24? No one else in the world seems to know.

szboardstretcher · 11-29-2011, 11:17 AM

Additional info:

BEFORE changes:

telnet 234.234.234.234 8080

Code:

Trying 234.234.234.234...
Connected to 234.234.234.234.
Escape character is '^]'.
OPTIONS / HTTP/1.1
host: 234.234.234.234

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS
Content-Length: 0

tomcat/conf/web.xml

Code:

. . . <snip> . . .
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>

<!-- No one mentions this bit in their examples to get rid of the error the rest causes -->
<security-role>
<role-name>tomcat</role-name>
</security-role>
</web-app>

webapps/theAPP/WEB-INF/web.xml

Code:

<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/theAPP/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>

<security-role>
<role-name>tomcat</role-name>
</security-role>

</web-app>

AFTER changes (the same)

telnet 234.234.234.234 8080

Code:

Trying 234.234.234.234...
Connected to 234.234.234.234.
Escape character is '^]'.
OPTIONS / HTTP/1.1
host: 234.234.234.234

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS
Content-Length: 0

szboardstretcher · 11-30-2011, 08:12 AM

Any programmers here familiar with Apache Tomcat? Does everyone just leave these options active because no one knows how to disable them? Or is there a secret ninja way that no one wants to share?