-
1. Re: Jboss Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTION
The DELETE and PUT are not allowed by the default servlet unless its readonly mode has been set to false:
DELETE / HTTP/1.1 Host: localhost HTTP/1.1 403 Forbidden X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.1 (build: CVSTag=JBoss_4_0_1 date=200412230944) Content-Type: text/html;charset=utf-8 Content-Length: 964 Date: Tue, 05 Apr 2005 15:09:35 GMT Server: Apache-Coyote/1.1
You can use the standard web.xml security settings to control what http methods are allowed in general:<web-app> ... <security-constraint> <web-resource-collection> <web-resource-name>Restricted</web-resource-name> <description>Declarative security tests</description> <url-pattern>/*</url-pattern> <http-method>HEAD</http-method> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <user-data-constraint> <description>no description</description> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> </web-app>
-
2. Re: Jboss Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTION
Thanks your reply.
Yes. I have tested by nikto.pl/telnet.
in fact, 'Delete' is forbidden.
then I think Jboss AS give the delusive Response.(?) -
3. Re: Jboss Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTION
I have my web.xml configured as
<security-constraint id="SecurityConstraint_1"> <web-resource-collection id="WebResourceCollection_1"> <web-resource-name>mysecure</web-resource-name> <url-pattern>/myservlet</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <user-data-constraint id="UserDataConstraint_1"> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint>
but I still get Allow: GET, HEAD, POST, TRACE, OPTIONS ?
I only want to allow GET and POST, any suggestions on it?
TIA.