Customizing HTTP responses and status codes when an HTTP method is not allowed
search cancel

Customizing HTTP responses and status codes when an HTTP method is not allowed


Article ID: 43366


Updated On:


STARTER PACK-7 CA Rapid App Security CA API Gateway



Customizing HTTP responses and status codes when an HTTP method is not allowed


As of version 8.2.00, the Gateway will return an HTTP 500 Internal Server Error when an inbound request does not adhere to the HTTP method whitelist. Development incident SSG-9565 was opened to address this deficiency and the attached policy was created by the CA API Gateway support team as an interim workaround pending future resolution of this issue. 

This policy fragment will perform a JDBC query against the local Gateway cluster's database for information on the acceptable HTTP methods for a particular service. A whitelist of acceptable methods will be stored in the Gateway application's caching implementation. The policy will validate the HTTP method of inbound request against the whitelist and adjudicate the request message accordingly. If the request message does not adhere to the whitelist then a customized HTTP error status and response will be transmitted to the service consumer


This policy should be deployed in a message-received global policy fragment. This policy fragment ensures that the default process for inspecting the HTTP method is bypassed. There are two assertions that should be modified by an administrator or policy author:

  • The Set Context Variable assertion on line #2.
  • The Customize Error Response assertion on line #18

Perform the following procedure to publish this policy fragment

  1. Log in to the Policy Manager as an administrative user
  2. Right-click the root folder in the Services and Policies window
  3. Select Create Policy
  4. Select Global Policy Fragment from the Policy Type drop-down box
  5. Select message-received from the Policy Tag drop-down box
  6. Specify a name in the Name text field
  7. Import the attached policy fragment httpMethodErrorHandling.xml

 The policy will require an existing JDBC connection to the local Gateway. If one does not exist then the Resolve External Dependencies Wizard will appear. If a JDBC connection needs to be created then proceed through that wizard as follows:

  1. ?Select the Change assertions to use this JDBC connection radio button
  2. Click the Create JDBC Connection button
  3. Click OK to accept the default settings
  4. Click Finish to import the dependency
  5. Save the policy and exit


Component: APIGTW

Attachments get_app