How to disable certain HTTP methods (PUT, DELETE, TRACE and OPTIONS) in JBOSS7 .
Resolution
Option 1 -Using RewriteValve (can apply globally)
You can use RewriteValve to disable the http methods. Take a look atdocumentation http://docs.jboss.org/jbossweb/2.1.x/rewrite.html.You will need one RewriteCond directive and one RewriteRule.
In your RewriteCond directive you could specify all methods with use of the REQUEST_METHOD servervariable, for example:
RewriteCond %{REQUEST_METHOD} ^(PUT|DELETE|TRACE|OPTIONS)$ [NC]
then your RewriteRule can mark those as forbidden (it immediately sends back aHTTP response of 403 (FORBIDDEN)), for example:
RewriteRule .* - [F]
For EAP6:
RewriteValve can be configured asglobal valve in domain.xml or standalone.xml. You can add the <rewrite> tag to the <virtual-server> configuration of the web subsystem.
.. ..
<subsystem xmlns="urn:jboss:domain:web:1.1"default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1"scheme="http" socket-binding="http"/>
<virtual-server name="default-host"enable-welcome-root="true">
<rewritepattern=".*" substitution="-" flags="F">
<condition test="%{REQUEST_METHOD}"pattern="^(PUT|DELETE|TRACE|OPTIONS)$" flags="NC" />
</rewrite>
</virtual-server>
</subsystem>
.. ..
Option 2 - web.xml Security constraints(per WAR)
This can be done by adding security constraints to theapplication's web.xml. For example:
.. ..
<security-constraint>
<web-resource-collection>
<web-resource-name>NoAccess</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
.. ..
In the above example, access the following http requests DELETE, PUT, OPTIONS, POST aredisabled by default.
You can also restrict all methods other than explicitlyallowed ones by doing like:
.. ..
<security-constraint>
<web-resource-collection>
<web-resource-name>NoAccess</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>AllowedMethods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
</web-resource-collection>
</security-constraint>
.. ..
See the Java ServletSpecification and also The Java EE 5Tutorial - "Declaring Security Requirements in a DeploymentDescriptor" for more information.
Option 3 -Using Apache httpd mod_rewrite in front of JBoss
If you are fronting JBoss with Apache httpd, you can alsoapply the above rewrite rules in the httpd.conf.:
For example:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(PUT|DELETE|TRACE|OPTIONS)$ [NC]
RewriteRule .* - [F]
To verify theabove configuration:
You can use curl command to test if the configuration change iseffective: For example:
curl -v -XTRACE http://hostname:port/appContext
curl -v -XDELETE http://hostname:port/appContex
How to disable certain HTTP methods (PUT, DELETE, TRACE and OPTIONS) in JBOSS7 .的更多相关文章
- HTTP Method详细解读(`GET` `HEAD` `POST` `OPTIONS` `PUT` `DELETE` `TRACE` `CONNECT`)
前言 HTTP Method的历史: HTTP 0.9 这个版本只有GET方法 HTTP 1.0 这个版本有GET HEAD POST这三个方法 HTTP 1.1 这个版本是当前版本,包含GET HE ...
- HTTP Method 详细解读(`GET` `HEAD` `POST` `OPTIONS` `PUT` `DELETE` `TRACE` `CONNECT`)--转
前言 HTTP Method的历史: HTTP 0.9 这个版本只有GET方法 HTTP 1.0 这个版本有GET HEAD POST这三个方法 HTTP 1.1 这个版本是当前版本,包含GET HE ...
- http协议中:GET/POST/PUT/DELETE/TRACE/OPTIONS/HEAD方法
###1 HTTP/1.1协议中共定义了八种方法(有时也叫"动作")来表明Request-URI指定的资源的不同操作方式: OPTIONS 返回服务器针对特定资源所支持的HTTP请 ...
- 使用nmap查看web服务支持的http methods
安装nmap yum install nmap 查看web server支持的http methods u02 ~]$ nmap -p --script http-methods www.somewh ...
- httpcomponents-client-4.4.x
Chapter 1. Fundamentals Prev Next Chapter 1. Fundamentals 1.1. Request execution The most essent ...
- httpcomponents-client-ga(4.5)
http://hc.apache.org/httpcomponents-client-ga/tutorial/html/ Chapter 1. Fundamentals Prev Next ...
- [Android] HttpURLConnection & HttpClient & Socket
Android的三种网络联接方式 1.标准Java接口:java.net.*提供相关的类//定义地址URL url = new URL("http://www.google.com" ...
- HttpClient_4 用法 由HttpClient_3 升级到 HttpClient_4 必看
转自:http://www.blogjava.net/stevenjohn/archive/2012/09/26/388609.html HttpClient程序包是一个实现了 HTTP 协议的客户端 ...
- Android网络连接之HttpURLConnection和HttpClient
1.概念 HTTP 协议可能是现在 Internet 上使用得最多.最重要的协议了,越来越多的 Java 应用程序需要直接通过 HTTP 协议来访问网络资源.在 JDK 的 java.net 包中 ...
随机推荐
- sql-mode="STRICT_TRANS_TABLES,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"问题解决
安装一个软件时,遇到这个问题sql-mode="STRICT_TRANS_TABLES,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION" 上网 ...
- 【液晶模块系列基础视频】5.4.X-GUI字体驱动4
============================= 技术论坛:http://www.eeschool.org 博客地址:http://xiaomagee.cnblogs.com 官方网店:ht ...
- POJ 2528 Mayor's posters(线段树区间染色+离散化或倒序更新)
Mayor's posters Time Limit: 1000MS Memory Limit: 65536K Total Submissions: 59239 Accepted: 17157 ...
- JavaScript系列:常用方法
文本框输入实时验证身份证号 charAt(索引)<=>indexOf(字符) <!DOCTYPE html> <head> <meta charset=&qu ...
- Nginx 笔记与总结(7)Location:正则匹配
在 /usr/local/nginx/conf/nginx.conf 的默认 server 段中,保留默认的 location 信息(之前测试的 location 配置删除): location / ...
- unity3d 基于物理渲染的问题解决
最近1个月做了unity 次世代开发的一些程序方面的支持工作,当然也是基于物理渲染相关的,主要还是skyshop marmoset的使用吧,他算是unity4.x版本 PBR的优秀方案之一了但在使用以 ...
- 用 BigDump 工具导入超大 MySQL 数据库备份文件
用 BigDump 工具导入超大 MySQL 数据库备份文件 创建于 2010-07-01, 周四 00:00 作者 白建鹏 在<Joomla! 1.5 网站防黑9条戒律>这篇文章中, ...
- 关于APP接口设计
最近一段时间一直在做APP接口,总结一下APP接口开发过程中的注意事项: 1.效率:接口访问速度 APP有别于WEB服务,对服务器端要求是比较严格的,在移动端有限的带宽条件下,要求接口响应速度要快,所 ...
- PowerDesigner连接MySQL,建立逆向工程图解
传说中,程序员们喜欢用powerDesign进行数据库建模.通常都是先设计出物理模型图,在转换出数据库需要的SQL语句,从而生成数据库.但,江湖中流传着"powerDesign逆向工程&qu ...
- JavaScript判断文件的大小
function getFileSize(obj) {//obj 需要传入的参数为Input的对象 var objValue = obj.value; if (objValue == " ...