3

I send a curl command with OPTIONS request method to my dropwizard application. I get a 200 Ok and POST and OPTIONS methods allowed as response.

How do i stop this from happening for security reasons as this provides some info about what are supported.

I tried implementing a custom request filter that responds with 405 not allowed for options method and added to a resource using NameBinding and but I think OPTIONS request does not reach at that point and so I am still getting 200OK and the same POST, OPTIONS plain text response.

I also tried using CrossOriginFilter.class in environment.servlets.addFilter() and configured it to not allow OPTIONS request. but that also did not work.

I got another post here : Disable OPTIONS Method Jetty Server

but how do i achieve this in dropwizard via java code ?

Daniel Widdis
  • 8,424
  • 13
  • 41
  • 63
Mukul Anand
  • 606
  • 6
  • 24

2 Answers2

2

You can disable the OPTIONS request on a global application level in DW by specifying which methods are allowed on the YAML configuration file:

server:
  allowedMethods:
  - GET

The applications is now returning 405 on all OPTION requests.

André Barbosa
  • 684
  • 1
  • 6
  • 14
2

I figured it out,

In context of dropwizard:

Two ways to achieve this are

  1. [Easy way] Create a request filter and filter based on a list of URLs that you want to disable OPTIONS request.

  2. [Cool way] If you want to do with an annotation based filter like @OptionsFilter on a specific API resource method.

Detailed 2nd method: First , you need to extend ApplicationEventListener and register all such methods and during APPLICATION_START event (using reflection). Then, you also extend RequestEventListener and listen to the event and then find the method from the uriInfo which you get in request context and then check in the list of methods that you created at application startup. For more sample implementation, see how @UnitOfWork annotation works and sets the SessionFactory for a resource method.

Mukul Anand
  • 606
  • 6
  • 24