aspose file tools*
The moose likes Testing and the fly likes Disabling Servlet HTTP methods PUT,GET,POST,DELETE,TRACE and to to check they are working or not Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Testing
Bookmark "Disabling Servlet HTTP methods PUT,GET,POST,DELETE,TRACE and to to check they are working or not" Watch "Disabling Servlet HTTP methods PUT,GET,POST,DELETE,TRACE and to to check they are working or not" New topic
Author

Disabling Servlet HTTP methods PUT,GET,POST,DELETE,TRACE and to to check they are working or not

Pawan Salwan
Greenhorn

Joined: Nov 22, 2012
Posts: 4
I am working on application which allow all HTTP methods now we have requirement of disabling HTTP methods PUT,DELETE,TRACE and allow only POST and GET keeping security in mind. I have googled and got the <security-constraint>
<web-resource-collection>
<web-resource-name><strong>restricted methods</strong></web-resource-name>
<url-pattern><strong>/*</strong></url-pattern>
<http-method><strong>PUT</strong></http-method>>
<http-method><strong>DELETE</strong></http-method>
<http-method><strong>OPTIONS</strong></http-method>
<http-method><strong>TRACE</strong></http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>

above is the code used in web.xml as i am using tomcat. I have put the code in there, i want to know how should i test if its working or not. Pleaseeee help on tracking this issue.
N Sahni
Ranch Hand

Joined: Jul 07, 2011
Posts: 55

Hi Pawan,

Welcome to the Ranch

To test various HTTP methods (GET, POST, PUT, DELETE, HEAD, OPTIONS, and TRACE), you can use apache commons HTTP client.
For this you'll have to create a standalone java client which can utilize different HTTP methothods available with apache HTTP Client to simulate different HTTP requests.


Thanks and Regards,
Nilesh Sahni | nsahni@infocepts.com | www.infocepts.com
Pawan Salwan
Greenhorn

Joined: Nov 22, 2012
Posts: 4
Hi Nilesh,

Thanks for replying. Yeah this is an option what you mentioned but I want to know do we have any open source tool to test or i can say scan the tomcat to check whether these methods are working after disabling in tomcat's web.xml if you have any idea about that it will be very helpful.
N Sahni
Ranch Hand

Joined: Jul 07, 2011
Posts: 55

There are some tools available:

  • For Windows:
  • WFetch

  • For Linux:
  • use curl
    Pawan Salwan
    Greenhorn

    Joined: Nov 22, 2012
    Posts: 4
    N Sahni wrote:There are some tools available:

  • For Windows:
  • WFetch

  • For Linux:
  • use curl


    I have tried curl from command line but i did not get any command that help us to test these condition there are get and post command
    . I also disable the TRACE in the web.xml but when i run the curl command for trace like curl -trace trace.txt this command is still working however it as per consrtaint it should not work may be i was doing something wrong. if you have any idea about this it will be very helpful.


    Regards,
    Pawan Salwan
    N Sahni
    Ranch Hand

    Joined: Jul 07, 2011
    Posts: 55

    I have tried curl from command line but i did not get any command that help us to test these condition there are get and post command.


    Below are some samples for curl command:
  • GET: curl -HAccept:text/plain http://example.com/base
  • DELETE: curl -XDELETE http://example.com/base/user/123
  • POST: curl -d "param1=value1¶m2=value2" http://example.com/base/



  • curl -X is used to specify custom HTTP request method. Please refer Curl Manual Page
     
     
    subject: Disabling Servlet HTTP methods PUT,GET,POST,DELETE,TRACE and to to check they are working or not