1

I have a web application developed in Restful webservice and java. Iam using Jersey library. My team ran Appscan tool on the application.That tool says Insecure HTTP Methods Enabled on https:///AppName/.

EDIT:

  1. I would like to know how to disable DELETE methods here.
  2. When I make a option request to Server it should not list delete method in allowed method in header. Thanks in advance.
Ahmed Ashour
  • 5,179
  • 10
  • 35
  • 56
Ravi Godara
  • 497
  • 6
  • 20

1 Answers1

5

Define in web.xml a security constraint with an empty auth constraint on the desired URL pattern and the given HTTP methods.

The below example restricts ALL DELETE and TRACE requests, regardless of URL and user.

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Restricted HTTP methods.</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>DELETE</http-method>
        <http-method>TRACE</http-method>
        <!-- You can specify multiple HTTP methods here. -->
    </web-resource-collection>
    <auth-constraint />
</security-constraint>

The effect is a HTTP 403 Forbidden response.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • Hi @BalusC , Thanks for you prompt reply. the fix you suggestes is already there and its already throwing 403.... What I want is to remove delete from the Allowed method header – Ravi Godara Aug 17 '15 at 13:11
  • Why didn't you state that as such in your question? – BalusC Aug 17 '15 at 13:12
  • I don't have Jersey at hands right now, but RESTEasy already doesn't do that when there's no `@DELETE` method anywhere in the API. Are you sure the `Allow` header is coming from Jersey and not from container or perhaps a proxy (e.g. Apache HTTPD)? Namely, this would indicate a bug in Jersey. – BalusC Aug 17 '15 at 15:17