Adding security-constraint in web.xml is blocking access to all resources

Question

I am trying to block unused http methods (OPTIONS,TRACE,DELETE) using web.xml security constraint element. But it is blocking all the existing resources and throwing 302 response.

My web.xml is shown below.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application  2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
 <display-name>eServices</display-name>
<filter>
<filter-name>sessionvalidator</filter-name>
<filter-class>util.SessionFilter</filter-class>
<init-param>
 <param-name>avoid-urls</param-name>
 <param-value>/index.jsp</param-value>
</init-param>
</filter>
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
</filter>
<filter-mapping>
<filter-name>sessionvalidator</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<session-config>
<session-timeout>120</session-timeout>
</session-config>
<welcome-file-list>
 <welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<taglib>
<taglib-uri>/dateFormat</taglib-uri>
<taglib-location>/WEB-INF/tlds/customfunctions.tld</taglib-location>
</taglib>
<security-constraint>
  <display-name>Restricted</display-name>
  <web-resource-collection>
      <web-resource-name>restrictAccess</web-resource-name>
      <url-pattern>/*</url-pattern>
      <http-method>OPTIONS</http-method>
   <http-method>TRACE</http-method>
   <http-method>DELETE</http-method>
  </web-resource-collection>
  <auth-constraint/>
   </security-constraint>
 </web-app>

This is blocking all GET requests. Initially i tried to add GET,PUT, POST only to accept requests and later tried almost all the ways.

<security-constraint>
  <display-name>Restricted</display-name>
  <web-resource-collection>
      <web-resource-name>restrictAccess</web-resource-name>
      <url-pattern>/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>PUT</http-method>
      <http-method>POST</http-method>
      <http-method>HEAD</http-method>
  </web-resource-collection>
</security-constraint>

FYI, am not using any roles, and authentication here.

I tried the steps given in http://www.j2eeprogrammer.com/2011/11/disabling-certain-http-methods-in.html — jack, Feb 09 '15 at 09:25
A slightly better description than the link you provided: http://www.techstacks.com/howto/disable-http-methods-in-tomcat.html — Display Name is missing, Feb 11 '15 at 17:02

Adding security-constraint in web.xml is blocking access to all resources

0 Answers0