Disabling HTTP methods in Administrator Tomcat.
Article ID: KB0074953
Updated On:
| Products | Versions |
|---|---|
| TIBCO Administrator | 5.x.x |
| Not Applicable | - |
Description
Description:
To restrict the response to specific HTTP Methods such as OPTIONS, PUT, DELETE, CONNECT and TRACE, Tomcat can be configured to not respond to any of these HTTP Methods.
To restrict the response to specific HTTP Methods such as OPTIONS, PUT, DELETE, CONNECT and TRACE, Tomcat can be configured to not respond to any of these HTTP Methods.
Issue/Introduction
Disabling HTTP methods in Administrator Tomcat.
Environment
OS: All
Resolution
This can be configured at the instance level by inserting a <security-constraint> element directly under the <web-app> element in the installation's web.xml file located at: $TIBCO_HOME/administrator/domain/domainname/tomcat/conf/web.xml
The added <security-constraint> may look like below:.
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
The configuration above will disable the HTTP Method DELETE,OPTIONS and TRACE.
In case HTTP method TRACE is still not disabled, please open the $TIBCO_HOME/administrator/domain/domainname/tomcat/conf/sever.xml and set the allowTrace="false" in the HTTP Connector string. Restarting Administrator server is required to make change effective.
The added <security-constraint> may look like below:.
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
The configuration above will disable the HTTP Method DELETE,OPTIONS and TRACE.
In case HTTP method TRACE is still not disabled, please open the $TIBCO_HOME/administrator/domain/domainname/tomcat/conf/sever.xml and set the allowTrace="false" in the HTTP Connector string. Restarting Administrator server is required to make change effective.
Feedback
Yes
No
Powered by
