Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Disabling Servlet HTTP methods PUT,GET,POST,DELETE,TRACE and to to check they are working or not

 
Pawan Salwan
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am working on application which allow all HTTP methods now we have requirement of disabling HTTP methods PUT,DELETE,TRACE and allow only POST and GET keeping security in mind. I have googled and got the <security-constraint>
<web-resource-collection>
<web-resource-name><strong>restricted methods</strong></web-resource-name>
<url-pattern><strong>/*</strong></url-pattern>
<http-method><strong>PUT</strong></http-method>>
<http-method><strong>DELETE</strong></http-method>
<http-method><strong>OPTIONS</strong></http-method>
<http-method><strong>TRACE</strong></http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>

above is the code used in web.xml as i am using tomcat. I have put the code in there, i want to know how should i test if its working or not. Pleaseeee help on tracking this issue.
 
N Sahni
Ranch Hand
Posts: 55
Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Pawan,

Welcome to the Ranch

To test various HTTP methods (GET, POST, PUT, DELETE, HEAD, OPTIONS, and TRACE), you can use apache commons HTTP client.
For this you'll have to create a standalone java client which can utilize different HTTP methothods available with apache HTTP Client to simulate different HTTP requests.
 
Pawan Salwan
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Nilesh,

Thanks for replying. Yeah this is an option what you mentioned but I want to know do we have any open source tool to test or i can say scan the tomcat to check whether these methods are working after disabling in tomcat's web.xml if you have any idea about that it will be very helpful.
 
N Sahni
Ranch Hand
Posts: 55
Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There are some tools available:

  • For Windows:
  • WFetch

  • For Linux:
  • use curl
     
    Pawan Salwan
    Greenhorn
    Posts: 4
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    N Sahni wrote:There are some tools available:

  • For Windows:
  • WFetch

  • For Linux:
  • use curl


    I have tried curl from command line but i did not get any command that help us to test these condition there are get and post command
    . I also disable the TRACE in the web.xml but when i run the curl command for trace like curl -trace trace.txt this command is still working however it as per consrtaint it should not work may be i was doing something wrong. if you have any idea about this it will be very helpful.


    Regards,
    Pawan Salwan
     
    N Sahni
    Ranch Hand
    Posts: 55
    Java Spring
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    I have tried curl from command line but i did not get any command that help us to test these condition there are get and post command.


    Below are some samples for curl command:
  • GET: curl -HAccept:text/plain http://example.com/base
  • DELETE: curl -XDELETE http://example.com/base/user/123
  • POST: curl -d "param1=value1¶m2=value2" http://example.com/base/



  • curl -X is used to specify custom HTTP request method. Please refer Curl Manual Page
     
    • Post Reply
    • Bookmark Topic Watch Topic
    • New Topic