Resolution
Option 1 -Using RewriteValve (can apply globally)
You can use RewriteValve to disable the http methods. Take a look atdocumentation http://docs.jboss.org/jbossweb/2.1.x/rewrite.html.You will need one RewriteCond directive and one RewriteRule.
In your RewriteCond directive you could specify all methods with use of the REQUEST_METHOD servervariable, for example:
RewriteCond %{REQUEST_METHOD} ^(PUT|DELETE|TRACE|OPTIONS)$ [NC]
then your RewriteRule can mark those as forbidden (it immediately sends back aHTTP response of 403 (FORBIDDEN)), for example:
RewriteRule .* - [F]
For EAP6:
RewriteValve can be configured asglobal valve in domain.xml or standalone.xml. You can add the <rewrite> tag to the <virtual-server> configuration of the web subsystem.
.. ..
<subsystem xmlns="urn:jboss:domain:web:1.1"default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1"scheme="http" socket-binding="http"/>
<virtual-server name="default-host"enable-welcome-root="true">
<rewritepattern=".*" substitution="-" flags="F">
<condition test="%{REQUEST_METHOD}"pattern="^(PUT|DELETE|TRACE|OPTIONS)$" flags="NC" />
</rewrite>
</virtual-server>
</subsystem>
.. ..
Option 2 - web.xml Security constraints(per WAR)
This can be done by adding security constraints to theapplication's web.xml. For example:
.. ..
<security-constraint>
<web-resource-collection>
<web-resource-name>NoAccess</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
.. ..
In the above example, access the following http requests DELETE, PUT, OPTIONS, POST aredisabled by default.
You can also restrict all methods other than explicitlyallowed ones by doing like:
.. ..
<security-constraint>
<web-resource-collection>
<web-resource-name>NoAccess</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>AllowedMethods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
</web-resource-collection>
</security-constraint>
.. ..
See the Java ServletSpecification and also The Java EE 5Tutorial - "Declaring Security Requirements in a DeploymentDescriptor" for more information.
Option 3 -Using Apache httpd mod_rewrite in front of JBoss
If you are fronting JBoss with Apache httpd, you can alsoapply the above rewrite rules in the httpd.conf.:
For example:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(PUT|DELETE|TRACE|OPTIONS)$ [NC]
RewriteRule .* - [F]
To verify theabove configuration:
You can use curl command to test if the configuration change iseffective: For example:
curl -v -XTRACE http://hostname:port/appContext
curl -v -XDELETE http://hostname:port/appContex