How to disable HTTP OPTIONS Method in JBoss?

Question

I'm trying to disable JBOSS HTTP OPTIONS method. Using the following syntax in the web.xml in JBoss, I can disable all the http-method except OPTIONS. Is there a way to successfully disable http-method OPTIONS?

click here for screenshot

<security-constraint>  
<web-resource-collection>  
    <web-resource-name>Restricted</web-resource-name>  
    <description>Declarative security tests</description>  
    <url-pattern>/EVE/*</url-pattern>       
    <http-method>PUT</http-method>  
    <http-method>DELETE</http-method>
    <http-method>OPTIONS</http-method>
    <http-method>TRACE</http-method>    
</web-resource-collection>  
<auth-constraint>  
    <description>Only authenticated users can access secure content</description>  
    <role-name>AuthorizedUser</role-name>  
</auth-constraint>  
<user-data-constraint>  
    <description>no description</description>  
    <transport-guarantee>NONE</transport-guarantee>  
</user-data-constraint>  
</security-constraint>  <security-constraint>  
<web-resource-collection>  
    <web-resource-name>Restricted 2</web-resource-name>  
    <description>Declarative security tests</description>  
    <url-pattern>/*</url-pattern>        
    <http-method>PUT</http-method>  
    <http-method>DELETE</http-method> 
    <http-method>OPTIONS</http-method>
    <http-method>TRACE</http-method>  
</web-resource-collection>  
<auth-constraint>  
    <description>Only authenticated users can access secure content</description>  
    <role-name>AuthorizedUser</role-name>  
</auth-constraint>  
<user-data-constraint>  
    <description>no description</description>  
    <transport-guarantee>NONE</transport-guarantee>  
</user-data-constraint>  
</security-constraint>

Answer 1

Can add the following property to http-listener and https-listener within the undertow subsystem in standalone xml file. By default its only disable the HTTP method TRACE. Need to put methods that you need to disable.

disallowed-methods="HTTP Methods"

For a example following disable the http methods HEAD, OPTIONS and TRACE.

<server name="default-server">
     <http-listener name="default" socket-binding="http" max-post-size="419430400" disallowed-methods="HEAD OPTIONS TRACE" redirect-socket="https" enable-http2="true"/>
     <https-listener name="https" socket-binding="https" max-post-size="419430400" disallowed-methods="HEAD OPTIONS TRACE" security-realm="ApplicationRealm" enable-http2="true"/>
     ....
</server>

Answer 2

Using the response of Ravikant Sharma (thanks)

1. Find the server.xml (in my case /jboss-5.1.0.GA/server/default/deploy/jbossweb.sar)

2. Inside tags < Engine > and < Host > you could see a < valve > tag, you should insert a new valve tag like this:

   < Valve className="org.jboss.web.rewrite.RewriteValve" />

3. Then in config folder in my case /jboss-5.1.0.GA/server/default/conf/. See if you have the following paths and file (if you don't, you need create it) - /jboss.web/localhost/rewrite.properties

4. Inside the above file add the below lines:

   RewriteCond %{REQUEST_METHOD} ^(OPTIONS)$ [NC] RewriteRule .* - [F]

So before the configuration you see the below result:

curl -i -X OPTIONS http://192.168.133.1:8080

HTTP/1.1 200 OK

Server: Apache-Coyote/1.1

X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1

Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS

Content-Length: 0

Date: Wed, 28 Dec 2016 01:13:37 GMT

After configuration, you will see the below output:

curl -i -X OPTIONS http://192.168.133.1:8080

HTTP/1.1 403 Forbidden

Server: Apache-Coyote/1.1

Transfer-Encoding: chunked

Date: Wed, 28 Dec 2016 01:19:34 GMT

Answer 3

Option 1 - Using RewriteValve (can apply globally)

You can use RewriteValve to disable the http methods. Take a look at documentation. You will need one RewriteCond directive and one RewriteRule.

In your RewriteCond directive you could specify all methods with use of the REQUEST_METHOD server variable, for example:

RewriteCond %{REQUEST_METHOD} ^(PUT|DELETE|TRACE|OPTIONS)$ [NC]

then your RewriteRule can mark those as forbidden (it immediately sends back a HTTP response of 403 (FORBIDDEN)), for example:

RewriteRule .* - [F]

In case of Jboss EAP 6

<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
    <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
    <virtual-server name="default-host" enable-welcome-root="true">
        <rewrite pattern=".*" substitution="-" flags="F">
            <condition test="%{REQUEST_METHOD}" pattern="^(PUT|DELETE|TRACE|OPTIONS)$" flags="NC" />
    </rewrite>
    </virtual-server>
</subsystem>

Apart from this as said in above answer it can be done via web.xml per war wise.

To check above use

curl -v -X TRACE http://hostname:port/appContext
curl -v -X DELETE http://hostname:port/appContex

Answer 4

here are the following ways to limit HTTP methods in a web application:

1. Adding security constraints in web.xml

<security-constraint>
    <web-resource-collection>
        <web-resource-name>NoAccess</web-resource-name>
        <url-pattern>/*</url-pattern>
          <http-method>DELETE</http-method>
          <http-method>TRACE</http-method>
          <http-method>OPTIONS</http-method>
    </web-resource-collection>
    <auth-constraint/>
</security-constraint>

Here DELETE, TRACE and OPTIONS are restricted for all urls. curl -kvv -X DELETE <url> will give 403 Forbidden

2. Using Rewrite rules in domain.xml 

<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
    <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
    <virtual-server name="default-host" enable-welcome-root="true">
        <rewrite pattern=".*" substitution="-" flags="F">
            <condition test="%{REQUEST_METHOD}" pattern="^(DELETE|TRACE|OPTIONS)$" flags="NC" />
    </rewrite>
    </virtual-server>
</subsystem>

3. Using mod_rewrite in httpd
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(DELETE|TRACE|OPTIONS)$ [NC]
    RewriteRule .* - [F]

Answer 5

I'd suggest using mod_rewrite. It is cleaner.