• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Disabling Servlet HTTP methods PUT,GET,POST,DELETE,TRACE and to to check they are working or not

 
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am working on application which allow all HTTP methods now we have requirement of disabling HTTP methods PUT,DELETE,TRACE and allow only POST and GET keeping security in mind. I have googled and got the <security-constraint>
<web-resource-collection>
<web-resource-name><strong>restricted methods</strong></web-resource-name>
<url-pattern><strong>/*</strong></url-pattern>
<http-method><strong>PUT</strong></http-method>>
<http-method><strong>DELETE</strong></http-method>
<http-method><strong>OPTIONS</strong></http-method>
<http-method><strong>TRACE</strong></http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>

above is the code used in web.xml as i am using tomcat. I have put the code in there, i want to know how should i test if its working or not. Pleaseeee help on tracking this issue.
 
Ranch Hand
Posts: 55
Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Pawan,

Welcome to the Ranch

To test various HTTP methods (GET, POST, PUT, DELETE, HEAD, OPTIONS, and TRACE), you can use apache commons HTTP client.
For this you'll have to create a standalone java client which can utilize different HTTP methothods available with apache HTTP Client to simulate different HTTP requests.
 
Pawan Salwan
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Nilesh,

Thanks for replying. Yeah this is an option what you mentioned but I want to know do we have any open source tool to test or i can say scan the tomcat to check whether these methods are working after disabling in tomcat's web.xml if you have any idea about that it will be very helpful.
 
N Sahni
Ranch Hand
Posts: 55
Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
There are some tools available:

  • For Windows:
  • WFetch

  • For Linux:
  • use curl
     
    Pawan Salwan
    Greenhorn
    Posts: 4
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator

    N Sahni wrote:There are some tools available:

  • For Windows:
  • WFetch

  • For Linux:
  • use curl



    I have tried curl from command line but i did not get any command that help us to test these condition there are get and post command
    . I also disable the TRACE in the web.xml but when i run the curl command for trace like curl -trace trace.txt this command is still working however it as per consrtaint it should not work may be i was doing something wrong. if you have any idea about this it will be very helpful.


    Regards,
    Pawan Salwan
     
    N Sahni
    Ranch Hand
    Posts: 55
    Spring Java
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator

    I have tried curl from command line but i did not get any command that help us to test these condition there are get and post command.



    Below are some samples for curl command:
  • GET: curl -HAccept:text/plain http://example.com/base
  • DELETE: curl -XDELETE http://example.com/base/user/123
  • POST: curl -d "param1=value1¶m2=value2" http://example.com/base/



  • curl -X is used to specify custom HTTP request method. Please refer Curl Manual Page
     
    reply
      Bookmark Topic Watch Topic
    • New Topic