Reputation: 33
How to disable HTTP OPTIONS method in Payara Server?
I am using a Web security analyzer tool: Acunetix. When I scan it, it says HTTP "OPTIONS is enabled". I did R & D on this, then I got know that we need to disable "OPTIONS method in Web Server". I am using Payara Server (Version 4.1.1.171.1) and not getting any way that how to disable it. Can anyone please help me?
Upvotes: 2
Views: 2008
Answers (1)
Reputation: 17373
You enable and/or disable HTTP methods in the deployment descriptor (web.xml) of each web application. You use security constraints which are formally specified in section 13.8 of the Servlet Specification, and therefore the approach described below is not specific to Payara, but applies to any application server supporting servlets.
The safest (i.e. most secure) approach is not to specifically disable certain HTTP methods such as OPTIONS (as mentioned in the OP), but to exclude all HTTP methods by default, and specify only the HTTP methods which are to be allowed. Here is an example from the Java EE 7 tutorial:
The simplest way to ensure that you deny all HTTP methods except those that you want to be permitted is to use http-method-omission elements to omit those HTTP methods from the security constraint, and also to define an auth-constraint that names no roles. The security constraint will apply to all methods except those that were named in the omissions, and the constraint will apply only to the resources matched by the patterns in the constraint.
For example, the following constraint excludes access to all methods except GET and POST at the resources matched by the pattern /company/*:
<!-- SECURITY CONSTRAINT #5 -->
<security-constraint>
<display-name>Deny all HTTP methods except GET and POST</display-name>
<web-resource-collection>
<url-pattern>/company/*</url-pattern>
<http-method-omission>GET</http-method-omission>
<http-method-omission>POST</http-method-omission>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
You are using Payara 4.1 which supports EE 7, so look at the section titled Securing HTTP Resources in the Java EE7 Tutorial for full details on how to do this.
Section 13.8.2 of the Servlet Specification Version 3.1 also has a very detailed example.
Upvotes: 1
Related Questions
- Disable OPTIONS HTTP on Apache Server
- Disable HTTP OPTIONS method in spring boot application
- How do i disable options request method from being even processed in dropwizard
- How to disable HTTP Methods on cowboy server
- How to Disable HTTP Method (OPTIONS, HEAD, ...) In GlassFish 3.1 Server
- spring-boot disable HTTP methods
- How to authenticate/login before a REST request on Payara?
- How can I disable HTTP Methods for Tomcat 5.5.27
- How to change the default HTTP OPTIONS parameters in Java
- Disable HTTP methods in Tomcat