6 Replies Latest reply on Jul 23, 2012 6:38 PM by vesmar

    Limit allowed HTTP methods

    Francisco Carriedo Scher Newbie

      Hi there,

       

      i have been looking for configuring JBossAS7, regarding for example what HTTP methods are allowed / disallowed (server-wide, app-wide...) i found many samples for previous versions, but not for JBoss7 (7.0.X, 7.1).

       

      Any useful pointer or info about it?

       

      Thanks in advance!

        • 1. Re: Limit allowed HTTP methods
          Ondrej Zizka Master

          Standard ways still work,  including <http-method>HEAD</http-method>  .

          Check JBoss AS 7 web subsystem testsuite.

          Add your testcases if you create some, thx.

           

           

          <!-- ### Security -->
          <security-constraint>
          <web-resource-collection>
              <web-resource-name>Restricted</web-resource-name>
              <description>Declarative security tests</description>
              <url-pattern>/restricted/*</url-pattern>
              <http-method>HEAD</http-method>
              <http-method>GET</http-method>
              <http-method>POST</http-method>
              <http-method>PUT</http-method>
              <http-method>DELETE</http-method>
          </web-resource-collection>
          <auth-constraint>
              <description>Only authenticated users can access secure content</description>
              <role-name>AuthorizedUser</role-name>
          </auth-constraint>
          <user-data-constraint>
              <description>no description</description>
              <transport-guarantee>NONE</transport-guarantee>
          </user-data-constraint>
          </security-constraint>
          
          • 2. Re: Limit allowed HTTP methods
            Francisco Carriedo Scher Newbie

            Thanks a lot for your answer, anyway, that looks like a web-app wide declaration but what about a server wide solution? (not sure if i am right). I mean setting up that the server instance should attend no HEAD request at all (not even when it is sent to server administration services). I didn't find the appropriate .xml config file where to achieve such effect.

             

            Thanks for your response!

            • 3. Re: Limit allowed HTTP methods
              Ondrej Zizka Master

              Sorry, I don't know about any server-wide config.

              What is the use case? Why not limit that per-app? That would IMO be better approach since someone might forget to set that server-wide.

              • 4. Re: Limit allowed HTTP methods
                vesmar Newbie

                Hi,

                In my case we are looking for disable the HTTP options method on JBOSS AS7.1. Sinces Acunetix audit software alerts about it:

                 

                HTTP OPTIONS method is enabled on this web server. The OPTIONS method provides a list of the methods that are

                supported by the web server, it represents a request for information about the communication options available on the

                request/response chain identified by the Request-URI.

                 

                The OPTIONS method may expose sensitive information that may help an malicious user to prepare more advanced

                attacks.

                 

                Did anyone found some working solution for a server wide solution or workaround?

                 

                Thanks in advance.

                • 5. Re: Limit allowed HTTP methods
                  Tomaz Cerar Master

                  Hi,

                   

                  working solution is what Ondrej wrote above, by web server exposes only your web applications,

                  that means that all you need to do is add part of configuration to your web.xml

                   

                  config should be probably something in lines of:

                      <security-constraint>

                          <web-resource-collection>

                              <web-resource-name>Restricted</web-resource-name>

                              <description>Declarative security tests</description>

                              <url-pattern>/*</url-pattern>      

                              <http-method>GET</http-method>

                              <http-method>POST</http-method>

                          </web-resource-collection>

                         

                      </security-constraint>

                  aka for every url allow only GET and POST.

                   

                   

                  --

                  tomaz

                  • 6. Re: Limit allowed HTTP methods
                    vesmar Newbie

                    Thank you Tomaz,

                     

                    I will try this solution. However it is a application side solution yet, since I am adding this lines to my web.xml.

                     

                    Do you know if jboss as 7.x hava something like a web.xml in the same way tomcat have $CATALINA_BASE/conf/web.xml to make this solution server wide?

                     

                    Thank you!

                    --

                    Vesmar