I know this should be a simple one, but we can't get it to work. We are trying to restrict all Trace, Put and Delete methods to Tomcat so that we can clean up our vulnerabilty scans.
We've tried adding the following in the /tomcat/conf/web.xml file as well as all of the /tomcat/webapps/*/WEB-INF/web.xml files and we haven't seen a change in behaviour. Any ideas on where to look next?
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>TRACE</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
