Return-Path: 
 <tomcat-user-return-128195-apmail-jakarta-tomcat-user-archive=jakarta.apache.org@jakarta.apache.org>
Delivered-To: apmail-jakarta-tomcat-user-archive@www.apache.org
Received: (qmail 48656 invoked from network); 7 Jun 2005 05:10:59 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 7 Jun 2005 05:10:59 -0000
Received: (qmail 149 invoked by uid 500); 7 Jun 2005 05:10:40 -0000
Delivered-To: apmail-jakarta-tomcat-user-archive@jakarta.apache.org
Received: (qmail 99811 invoked by uid 500); 7 Jun 2005 05:10:37 -0000
Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
List-Help: <mailto:tomcat-user-help@jakarta.apache.org>
List-Post: <mailto:tomcat-user@jakarta.apache.org>
List-Id: "Tomcat Users List" <tomcat-user.jakarta.apache.org>
Reply-To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
Delivered-To: mailing list tomcat-user@jakarta.apache.org
Received: (qmail 99742 invoked by uid 99); 7 Jun 2005 05:10:36 -0000
X-ASF-Spam-Status: No, hits=0.0 required=10.0
	tests=RCVD_BY_IP,SPF_HELO_PASS,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (hermes.apache.org: domain of antopaul@gmail.com designates
 64.233.170.202 as permitted sender)
Received: from rproxy.gmail.com (HELO rproxy.gmail.com) (64.233.170.202)
  by apache.org (qpsmtpd/0.28) with ESMTP; Mon, 06 Jun 2005 22:10:34 -0700
Received: by rproxy.gmail.com with SMTP id a41so34070rng
        for <tomcat-user@jakarta.apache.org>;
 Mon, 06 Jun 2005 22:10:20 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        b=hAEqKhOxKfEd2n8BMtySYVh7MVW3jJV9pStRRkdkzc0DjBXXoVuhGX6EzSDZ8GC/DJo756xtp2GMVg+w6d/85C9YzmeKnqFmTDzTdCfaqL4xh7zMtXFrraLO7lPbwCIfFoDtTcJ0JeplPXfCvyVPfZ29Y7pBXYQKtvUs+TUZfAU=
Received: by 10.38.10.42 with SMTP id 42mr1222322rnj;
        Mon, 06 Jun 2005 22:03:40 -0700 (PDT)
Received: by 10.38.152.34 with HTTP; Mon, 6 Jun 2005 22:03:39 -0700 (PDT)
Message-ID: <8f1005a1050606220310f2fb79@mail.gmail.com>
Date: Tue, 7 Jun 2005 10:33:39 +0530
From: Anto Paul <antopaul@gmail.com>
Reply-To: Anto Paul <antopaul@gmail.com>
To: Tomcat Users List <tomcat-user@jakarta.apache.org>
Subject: Re: Disabling put and delete http methods...
In-Reply-To: <5CDCFDEB5B4219428E3803EA07C139B0BFDCAF@exch2003.lj.active.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
References: <5CDCFDEB5B4219428E3803EA07C139B0BFDCAF@exch2003.lj.active.com>
X-Virus-Checked: Checked
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N

On 6/7/05, Peter Fellwock <Peter.Fellwock@active.com> wrote:
> Tomcat Gurus:
>=20
>=20
>=20
> How can I disable "put" and "delete" http methods?
>=20

Putting a security constraint in web.xml works. Try this in
applications web.xml. Usually it will be last element in the web.xml.

<security-constraint>
        <web-resource-collection>
            <web-resource-name>Disallowed Location</web-resource-name>
            <url-pattern>*</url-pattern>
            <http-method>DELETE</http-method>
            <http-method>PUT</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>*</role-name>
        </auth-constraint>
 </security-constraint>


--=20
rgds
Anto Paul

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org