Disable OPTIONS Method Jetty Server

Question

I have developed a web application which has set of GET and Post calls. I want to block my Jetty webserver for OPTIONS call.

Currently I get something like this in response.

HTTP/1.1 200 OK
Date: Tue, 28 Apr 2015 07:41:50 GMT
Server: Apache
Allow: GET,HEAD,POST,OPTIONS
Cache-Control: max-age=0
Expires: Tue, 28 Apr 2015 07:41:50 GMT
Content-Length: 0
Connection: close
Content-Type: httpd/unix-directory

I dont want to ALLOW - Options method type. Can someone tell me how can I disable it from jetty servers property file? I am not able to find any property for this.

I'm curious... Why would you want to do this? – Jason Desrosiers Apr 29 '15 at 06:43 — Jason Desrosiers, Apr 29 '15 at 06:43

score 0 · Answer 1 · answered Apr 28 '15 at 12:32

You can disable it for specific webapps using a technique similar to how TRACE is disabled.

See the jetty-distribution etc/webdefault.xml

How to do this ...

Edit your webapp's WEB-INF/web.xml and add the following

  <!-- ==================================================================== -->
  <!-- Disable OPTIONS method with security constraint                      -->
  <!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  -->
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Disable OPTIONS</web-resource-name>
      <url-pattern>/</url-pattern>
      <http-method>OPTIONS</http-method>
    </web-resource-collection>
    <auth-constraint/>
  </security-constraint>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Enable everything but OPTIONS</web-resource-name>
      <url-pattern>/</url-pattern>
      <http-method-omission>OPTIONS</http-method-omission>
    </web-resource-collection>
  </security-constraint>

Disable OPTIONS Method Jetty Server

1 Answers1

Linked