tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lori Ronning" <lronn...@translations.com>
Subject disable HTTP Methods DELETE, PUT
Date Wed, 24 Oct 2007 22:59:00 GMT

Hi.

I'm using Tomcat 5.5.23 on Windows XP Pro.  I have a Java application that
uses spring and acegi for security and configuration.  I only want the GET,
POST and HEAD HTTP methods to be allowed, so I have added the following to
various web.xml and nothing seems to work.

<security-constraint>
    <web-resource-collection> 
	<web-resource-name>DisabledMethods</web-resource-name>
            <url-pattern>/*</url-pattern>
			<http-method>DELETE</http-method>
                  <http-method>PUT</http-method>
			<http-method>TRACE</http-method>
                  <http-method>OPTIONS</http-method>
    </web-resource-collection>
    <auth-constraint/>
    </security-constraint> 

If I make requests to the application running at "/cp" I get a 500 error
back from the app for DELETE and PUT, not the 403 I would assume.  If I add
GET and POST to this list then I do get a 403 error back for GET and POST,
but continue to get the 500 internal server error for DELETE and PUT.  And I
can see that those methods were called on the application, though the
servlet doesn't define methods for them.

I also added a simple index.html file at the ROOT "/" and made HTTP requests
on it.  I get 403 error back for all the specified methods above.  So it
appears to work for ROOT "/".

I have added to the tomcat web.xml in <tomcat home>/conf as well as the
application's WEB-INF directory.  I have removed our SSL forwarding in case
that is causing a problem (since GET and POST are using SSL forwarding) and
I still get the same results.

Any ideas?

Thanks!

Lori Ronning
Senior Software Engineer
Translations.com
lronning@translations.com 


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message