search cancel

How to explicitly block HTTP method PUT or DELETE from Tomcat

book

Article ID: 16115

calendar_today

Updated On:

Products

CA Service Catalog

Issue/Introduction

Catalog uses a Tomcat web server.  HTTP methods PUT and DELETE options are unsafe and need to be blocked

How to explicitly block unsafe HTTP Methods PUT DELETE and OPTIONS from Tomcat used by Service Catalog?

Environment

CA Service Catalog 12.9, 14.1 and 17.x

Resolution

To check and verify if Tomcat Method PUT or Delete is blocked or not, refer to the following KB Article: Check whether HTTP method PUT or DELETE from Tomcat is blocked or not
 
In case it is not blocked, perform the following steps:
 
1.  On the Service Catalog server(s), make a backup copy of web.xml in the USM_HOME\view\webapps\usm\WEB-INF directory
2.  Eiit the web.xml file with a text editor and add the following highlighted lines into the following section  :
 
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" metadata-complete="true">
 
<display-name>CA Service View</display-name>
<distributable />
<absolute-ordering />
 
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>TRACE</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
 
<context-param>
<param-name>slcmContextConfigLocation</param-name>
 
 
 
3.  Save changes and recycle the Service Catalog service for the change to take effect

Additional Information

http://grokbase.com/t/tomcat/users/141q2zgg6f/deny-put-delete

http://grokbase.com/t/tomcat/users/105d8xv907/restrict-http-methods