tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lori Ronning" <>
Subject disable HTTP Methods DELETE, PUT
Date Wed, 24 Oct 2007 22:59:00 GMT


I'm using Tomcat 5.5.23 on Windows XP Pro.  I have a Java application that
uses spring and acegi for security and configuration.  I only want the GET,
POST and HEAD HTTP methods to be allowed, so I have added the following to
various web.xml and nothing seems to work.


If I make requests to the application running at "/cp" I get a 500 error
back from the app for DELETE and PUT, not the 403 I would assume.  If I add
GET and POST to this list then I do get a 403 error back for GET and POST,
but continue to get the 500 internal server error for DELETE and PUT.  And I
can see that those methods were called on the application, though the
servlet doesn't define methods for them.

I also added a simple index.html file at the ROOT "/" and made HTTP requests
on it.  I get 403 error back for all the specified methods above.  So it
appears to work for ROOT "/".

I have added to the tomcat web.xml in <tomcat home>/conf as well as the
application's WEB-INF directory.  I have removed our SSL forwarding in case
that is causing a problem (since GET and POST are using SSL forwarding) and
I still get the same results.

Any ideas?


Lori Ronning
Senior Software Engineer 

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message