How to disable certain HTTP methods (PUT, DELETE, TRACE and OPTIONS) in JBOSS7 .
Resolution
Option 1 -Using RewriteValve (can apply globally)
You can use RewriteValve to disable the http methods. Take a look atdocumentation http://docs.jboss.org/jbossweb/2.1.x/rewrite.html.You will need one RewriteCond directive and one RewriteRule.
In your RewriteCond directive you could specify all methods with use of the REQUEST_METHOD servervariable, for example:
RewriteCond %{REQUEST_METHOD} ^(PUT|DELETE|TRACE|OPTIONS)$ [NC]
then your RewriteRule can mark those as forbidden (it immediately sends back aHTTP response of 403 (FORBIDDEN)), for example:
RewriteRule .* - [F]
For EAP6:
RewriteValve can be configured asglobal valve in domain.xml or standalone.xml. You can add the <rewrite> tag to the <virtual-server> configuration of the web subsystem.
.. ..
<subsystem xmlns="urn:jboss:domain:web:1.1"default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1"scheme="http" socket-binding="http"/>
<virtual-server name="default-host"enable-welcome-root="true">
<rewritepattern=".*" substitution="-" flags="F">
<condition test="%{REQUEST_METHOD}"pattern="^(PUT|DELETE|TRACE|OPTIONS)$" flags="NC" />
</rewrite>
</virtual-server>
</subsystem>
.. ..
Option 2 - web.xml Security constraints(per WAR)
This can be done by adding security constraints to theapplication's web.xml. For example:
.. ..
<security-constraint>
<web-resource-collection>
<web-resource-name>NoAccess</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
.. ..
In the above example, access the following http requests DELETE, PUT, OPTIONS, POST aredisabled by default.
You can also restrict all methods other than explicitlyallowed ones by doing like:
.. ..
<security-constraint>
<web-resource-collection>
<web-resource-name>NoAccess</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>AllowedMethods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
</web-resource-collection>
</security-constraint>
.. ..
See the Java ServletSpecification and also The Java EE 5Tutorial - "Declaring Security Requirements in a DeploymentDescriptor" for more information.
Option 3 -Using Apache httpd mod_rewrite in front of JBoss
If you are fronting JBoss with Apache httpd, you can alsoapply the above rewrite rules in the httpd.conf.:
For example:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(PUT|DELETE|TRACE|OPTIONS)$ [NC]
RewriteRule .* - [F]
To verify theabove configuration:
You can use curl command to test if the configuration change iseffective: For example:
curl -v -XTRACE http://hostname:port/appContext
curl -v -XDELETE http://hostname:port/appContex
How to disable certain HTTP methods (PUT, DELETE, TRACE and OPTIONS) in JBOSS7 .的更多相关文章
- HTTP Method详细解读(`GET` `HEAD` `POST` `OPTIONS` `PUT` `DELETE` `TRACE` `CONNECT`)
前言 HTTP Method的历史: HTTP 0.9 这个版本只有GET方法 HTTP 1.0 这个版本有GET HEAD POST这三个方法 HTTP 1.1 这个版本是当前版本,包含GET HE ...
- HTTP Method 详细解读(`GET` `HEAD` `POST` `OPTIONS` `PUT` `DELETE` `TRACE` `CONNECT`)--转
前言 HTTP Method的历史: HTTP 0.9 这个版本只有GET方法 HTTP 1.0 这个版本有GET HEAD POST这三个方法 HTTP 1.1 这个版本是当前版本,包含GET HE ...
- http协议中:GET/POST/PUT/DELETE/TRACE/OPTIONS/HEAD方法
###1 HTTP/1.1协议中共定义了八种方法(有时也叫"动作")来表明Request-URI指定的资源的不同操作方式: OPTIONS 返回服务器针对特定资源所支持的HTTP请 ...
- 使用nmap查看web服务支持的http methods
安装nmap yum install nmap 查看web server支持的http methods u02 ~]$ nmap -p --script http-methods www.somewh ...
- httpcomponents-client-4.4.x
Chapter 1. Fundamentals Prev Next Chapter 1. Fundamentals 1.1. Request execution The most essent ...
- httpcomponents-client-ga(4.5)
http://hc.apache.org/httpcomponents-client-ga/tutorial/html/ Chapter 1. Fundamentals Prev Next ...
- [Android] HttpURLConnection & HttpClient & Socket
Android的三种网络联接方式 1.标准Java接口:java.net.*提供相关的类//定义地址URL url = new URL("http://www.google.com" ...
- HttpClient_4 用法 由HttpClient_3 升级到 HttpClient_4 必看
转自:http://www.blogjava.net/stevenjohn/archive/2012/09/26/388609.html HttpClient程序包是一个实现了 HTTP 协议的客户端 ...
- Android网络连接之HttpURLConnection和HttpClient
1.概念 HTTP 协议可能是现在 Internet 上使用得最多.最重要的协议了,越来越多的 Java 应用程序需要直接通过 HTTP 协议来访问网络资源.在 JDK 的 java.net 包中 ...
随机推荐
- html5文章 -- HTML5开发实例-网易微博手机Web App开发过程
HTML5在国内外越来越受到互联网开发团队的青睐.国外,谷歌兴致勃勃地开发Chrome Web Store,微软发布了支持使用HTML5技术开发的“Irish Spring”主题网站,诺基亚斥巨资购得 ...
- 星外虚拟主机跨web目录文件读取漏洞
星外虚拟主机跨目录读取文件漏洞,需要一定条件. 问题发生在以下文件,这些文件都没有严格的设置执行权限,当前的IIS用户能够顺利的利用它们执行命令: c:\windows\7i24IISLOG.exe ...
- sql对应C#的类型
- 插入随机数到MySQL数据库
我们经常会遇到使用随机的问题,下面就是一种解决随机数的方法. 在构造测试数据时,我们需要对测试表插入随机数据.构造测试数据的方法如下,仅以update为例说明 步骤1:随机数的SQL函数为rand() ...
- HDU 1069 Monkey and Banana(二维偏序LIS的应用)
---恢复内容开始--- Monkey and Banana Time Limit: 2000/1000 MS (Java/Others) Memory Limit: 65536/32768 K ...
- WAMP数据库环境搭建
php.ini: date.timezone = Etc/GMT-8//设置北京时间 my.ini: character_set_server=utf8//设置utf8 innodb_force_re ...
- HW 研发体系机构的几个术语
PDT(product development team)产品开发团队 类似于产品经理 程序员 -- PL -- PM --开发代表 -- PDT LEADER --------------- ...
- java项目——数据结构实验报告
java项目——数据结构总结报告 20135315 宋宸宁 实验要求 1.用java语言实现数据结构中的线性表.哈希表.树.图.队列.堆栈.排序查找算法的类. 2.设计集合框架,使用泛型实现各类. ...
- sublime3的安装和注册,和前端利器emmet插件的安装。
1.下载sublime3,在网上搜索sublime3,在官网下载即可. 2.下载后安装,直接下一步下一步即可安装. 3.注册. 在help菜单中,enter license里面输入 —– BEGIN ...
- 将数据导入hive,将数据从hive导出
一:将数据导入hive(六种方式) 1.从本地导入 load data local inpath 'file_path' into table tbname; 用于一般的场景. 2.从hdfs上导入数 ...