Disabling HTTP methods in TIBCO Administrator Tomcat

Title: Disabling HTTP methods in Administrator Tomcat.
Description: To restrict the response to specific HTTP Methods such as OPTIONS, PUT, DELETE, CONNECT and TRACE, Tomcat can be configured to not respond to any of these HTTP Methods.
Environment: All  Linux  Windows
Resolution: This can be configured at the instance level by inserting a <security-constraint> element directly under the <web-app> element in the installation’s web.xml file located at: [tomcatinstallation]/conf/web.xml

Below is the added configuration.

< security-constraint>
< web-resource-collection>
< web-resource-name>restricted methods</web-resource-name>
< url-pattern>/*</url-pattern>
< http-method>TRACE</http-method>
< http-method>PUT</http-method>
< http-method>OPTIONS</http-method>
< http-method>DELETE</http-method>
< /web-resource-collection>
< auth-constraint />
< /security-constraint>

The configuration above will disable the HTTP Methods TRACE, PUT, OPTIONS or DELETE.  Specificly for TRACE, open the Tibco_home/administrator/domain<domain_name>/tomcat/conf/server.xml and set the allowTrace=”false” in the HTTP connector string used by the admin server. After this attribute is set, restart  admin server.


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s