TRACE DELETE POST OPTIONS PUT are uncovered Web Viewer 14.0

book

Article ID: 206046

calendar_today

Updated On:

Products

CA Output Management Web Viewer

Issue/Introduction

I have applied SO13818 WEB VIEWER: DEFAULT NAME FOR PRODUCT WAR FILE CHANGED and after logging into Web Viewer, the following messages are displayed in the Web Viewer STC log:

SEVERE: For security constraints with URL pattern "/*"  the HTTP methods "TRACE DELETE POST OPTIONS PUT¨ are uncovered.

SEVERE: For security constraints with URL pattern "/api/*" only the HTTP methods "HEAD DELETE POST GET OPTIONS PUT¨ are covered. All other methods are uncovered

SEVERE: For security constraints with URL pattern "/v1/*" only the HTTP methods "HEAD DELETE POST GET OPTIONS PUT¨ are covered. All other methods are uncovered

How to correct these message using a HTTP connection?

Environment

Release : 14.0

Component : CA Output Management Web Viewer

Resolution

The login failure is most likely due to the changes that were made to the Web Viewer web.xml file (webapps/web-viewer/WEB-INF/web.xml). We believe the http-methods were removed for the SEVERE messages on /api/* and /v1/*.

When the CCS Tomcat 9.0.14 security-constraint was added to the Tomcat web.xml file (conf/web.xml) those calls were blocked.

Rather than removing the http-methods, the webapps/web-viewer/WEB-INF/web.xml file should have two security-constraint sections.

In webapps/web-viewer/WEB-INF/web.xml:

<!-- Security constraints to allow necessary operations for relevant endpoints -->

  <security-constraint>

    <web-resource-collection>

      <web-resource-name>REST Security</web-resource-name>

      <url-pattern>/api/*</url-pattern>

      <url-pattern>/v1/*</url-pattern>

      <http-method>GET</http-method>

      <http-method>HEAD</http-method>

      <http-method>POST</http-method>

      <http-method>PUT</http-method>

      <http-method>DELETE</http-method>

      <http-method>OPTIONS</http-method>

    </web-resource-collection>

  </security-constraint>

 

  <!-- Security constraints to prevent operations for non-relevant endpoints -->

  <security-constraint>

    <web-resource-collection>

      <web-resource-name>REST Restricted</web-resource-name>

      <url-pattern>/api/*</url-pattern>

      <url-pattern>/v1/*</url-pattern>

      <http-method-omission>GET</http-method-omission>

      <http-method-omission>HEAD</http-method-omission>

      <http-method-omission>POST</http-method-omission>

      <http-method-omission>PUT</http-method-omission>

      <http-method-omission>DELETE</http-method-omission>

      <http-method-omission>OPTIONS</http-method-omission>

    </web-resource-collection>

    <auth-constraint />

  </security-constraint>

With all four of these security constraints active (the two in conf/web.xml and the two in webapps/web-viewer/WEB-INF/web.xml) we were able to start the server here with no SEVERE security constraint messages and login successfully.