search cancel

How to explicitly block HTTP method PUT or DELETE from Tomcat


Article ID: 16115


Updated On:


CA Service Catalog


Catalog uses a Tomcat web server.  HTTP methods PUT and DELETE options are unsafe and need to be blocked

How to explicitly block unsafe HTTP Methods PUT DELETE and OPTIONS from Tomcat used by Service Catalog?


CA Service Catalog 12.9, 14.1 and 17.x


To check and verify if Tomcat Method PUT or Delete is blocked or not, refer to the following KB Article: Check whether HTTP method PUT or DELETE from Tomcat is blocked or not
In case it is not blocked, perform the following steps:
1.  On the Service Catalog server(s), make a backup copy of web.xml in the USM_HOME\view\webapps\usm\WEB-INF directory
2.  Eiit the web.xml file with a text editor and add the following highlighted lines into the following section  :
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="" xmlns:xsi=""
xsi:schemaLocation="" metadata-complete="true">
<display-name>CA Service View</display-name>
<distributable />
<absolute-ordering />
<web-resource-name>restricted methods</web-resource-name>
<auth-constraint />
3.  Save changes and recycle the Service Catalog service for the change to take effect

Additional Information