How to disable certain HTTP methods (PUT, DELETE, TRACE and OPTIONS) in JBOSS7 .

Resolution

Option 1 -Using RewriteValve (can apply globally)

You can use RewriteValve to disable the http methods. Take a look atdocumentation http://docs.jboss.org/jbossweb/2.1.x/rewrite.html.You will need one RewriteCond directive and one RewriteRule.

In your RewriteCond directive you could specify all methods with use of the REQUEST_METHOD servervariable, for example:

RewriteCond %{REQUEST_METHOD} ^(PUT|DELETE|TRACE|OPTIONS)$ [NC]

then your RewriteRule can mark those as forbidden (it immediately sends back aHTTP response of 403 (FORBIDDEN)), for example:

RewriteRule .* - [F]

For EAP6:

RewriteValve can be configured asglobal valve in domain.xml or standalone.xml. You can add the <rewrite> tag to the <virtual-server> configuration of the web subsystem.

.. ..

<subsystem xmlns="urn:jboss:domain:web:1.1"default-virtual-server="default-host" native="false">

    <connector name="http" protocol="HTTP/1.1"scheme="http" socket-binding="http"/>

    <virtual-server name="default-host"enable-welcome-root="true">

        <rewritepattern=".*" substitution="-" flags="F">

           <condition test="%{REQUEST_METHOD}"pattern="^(PUT|DELETE|TRACE|OPTIONS)$" flags="NC" />

    </rewrite>

    </virtual-server>

</subsystem>

.. ..

Option 2 - web.xml Security constraints(per WAR)

This can be done by adding security constraints to theapplication's web.xml. For example:

.. ..

<security-constraint>

    <web-resource-collection>

       <web-resource-name>NoAccess</web-resource-name>

       <url-pattern>/*</url-pattern>

         <http-method>DELETE</http-method>

         <http-method>PUT</http-method>

         <http-method>OPTIONS</http-method>

         <http-method>TRACE</http-method>

         <http-method>POST</http-method>

    </web-resource-collection>

    <auth-constraint/>

</security-constraint>

.. ..

In the above example, access the following http requests DELETE, PUT, OPTIONS, POST aredisabled by default.

You can also restrict all methods other than explicitlyallowed ones by doing like:

.. ..

<security-constraint>

    <web-resource-collection>

       <web-resource-name>NoAccess</web-resource-name>

       <url-pattern>/*</url-pattern>   

    </web-resource-collection>   

    <auth-constraint/>

</security-constraint>

<security-constraint> 

    <web-resource-collection>    

        <web-resource-name>AllowedMethods</web-resource-name>    

        <url-pattern>/*</url-pattern>    

          <http-method>GET</http-method>

         <http-method>POST</http-method>

         <http-method>HEAD</http-method>

    </web-resource-collection>

</security-constraint>

.. ..

See the Java ServletSpecification and also The Java EE 5Tutorial - "Declaring Security Requirements in a DeploymentDescriptor" for more information.

Option 3 -Using Apache httpd mod_rewrite in front of JBoss

If you are fronting JBoss with Apache httpd, you can alsoapply the above rewrite rules in the httpd.conf.:

For example:

RewriteEngine On

 

RewriteCond %{REQUEST_METHOD} ^(PUT|DELETE|TRACE|OPTIONS)$ [NC]

RewriteRule .* - [F]

To verify theabove configuration:

You can use curl command to test if the configuration change iseffective: For example:

curl -v -XTRACE http://hostname:port/appContext

curl -v -XDELETE http://hostname:port/appContex