6 Replies Latest reply on Jul 23, 2012 6:38 PM by vesmar

Limit allowed HTTP methods

fcarriedos Jan 31, 2012 6:14 AM

Hi there,

i have been looking for configuring JBossAS7, regarding for example what HTTP methods are allowed / disallowed (server-wide, app-wide...) i found many samples for previous versions, but not for JBoss7 (7.0.X, 7.1).

Any useful pointer or info about it?

Thanks in advance!

1. Re: Limit allowed HTTP methods

ozizka Jan 31, 2012 11:52 PM (in response to fcarriedos)

Standard ways still work, including <http-method>HEAD</http-method> .

Check JBoss AS 7 web subsystem testsuite.

Add your testcases if you create some, thx.

<!-- ### Security -->
<security-constraint>
<web-resource-collection>
    <web-resource-name>Restricted</web-resource-name>
    <description>Declarative security tests</description>
    <url-pattern>/restricted/*</url-pattern>
    <http-method>HEAD</http-method>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    <http-method>PUT</http-method>
    <http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
    <description>Only authenticated users can access secure content</description>
    <role-name>AuthorizedUser</role-name>
</auth-constraint>
<user-data-constraint>
    <description>no description</description>
    <transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

2. Re: Limit allowed HTTP methods

fcarriedos Feb 1, 2012 7:56 AM (in response to ozizka)

Thanks a lot for your answer, anyway, that looks like a web-app wide declaration but what about a server wide solution? (not sure if i am right). I mean setting up that the server instance should attend no HEAD request at all (not even when it is sent to server administration services). I didn't find the appropriate .xml config file where to achieve such effect.

Thanks for your response!
Actions
3. Re: Limit allowed HTTP methods

ozizka Feb 1, 2012 12:07 PM (in response to fcarriedos)

Sorry, I don't know about any server-wide config.
What is the use case? Why not limit that per-app? That would IMO be better approach since someone might forget to set that server-wide.
Actions
4. Re: Limit allowed HTTP methods

vesmar Jul 18, 2012 11:41 AM (in response to ozizka)

Hi,
In my case we are looking for disable the HTTP options method on JBOSS AS7.1. Sinces Acunetix audit software alerts about it:

HTTP OPTIONS method is enabled on this web server. The OPTIONS method provides a list of the methods that are
supported by the web server, it represents a request for information about the communication options available on the
request/response chain identified by the Request-URI.

The OPTIONS method may expose sensitive information that may help an malicious user to prepare more advanced
attacks.

Did anyone found some working solution for a server wide solution or workaround?

Thanks in advance.
Actions
5. Re: Limit allowed HTTP methods

ctomc Jul 19, 2012 9:44 AM (in response to vesmar)

Hi,

working solution is what Ondrej wrote above, by web server exposes only your web applications,
that means that all you need to do is add part of configuration to your web.xml

config should be probably something in lines of:
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Restricted</web-resource-name>
            <description>Declarative security tests</description>
            <url-pattern>/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>

    </security-constraint>
aka for every url allow only GET and POST.

--
tomaz
Actions
6. Re: Limit allowed HTTP methods

vesmar Jul 23, 2012 6:38 PM (in response to ctomc)

Thank you Tomaz,

I will try this solution. However it is a application side solution yet, since I am adding this lines to my web.xml.

Do you know if jboss as 7.x hava something like a web.xml in the same way tomcat have $CATALINA_BASE/conf/web.xml to make this solution server wide?

Thank you!
--
Vesmar
Actions

Go to original post