'Disabling OPTIONS HTTP method with * path'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tomcat-user
Subject:    Disabling OPTIONS HTTP method with * path
From:       Oleg Frenkel <ofrenkel () sscinc ! com>
Date:       2024-04-30 18:56:06
Message-ID: MN2PR14MB308506CCDA9A9E1D8ED45BBCA01A2 () MN2PR14MB3085 ! namprd14 ! prod ! outlook ! com
[Download RAW message or body]


This issue exists in 9.0.88 and 10.1.23.

I am looking to disable the following HTTP request (note 'OPTIONS *' in the request):

$ curl -v --request-target "*" -X OPTIONS \
                http://<host>:<port><http://%3chost%3e:%3cport%3e>
* Rebuilt URL to: <host>:<port>/<http://10-222-42-223.ssnc-corp.cloud:31211/>
*   Trying <ip>...
* TCP_NODELAY set
* Connected to <host> (<ip>) port <port> (#0)
> OPTIONS * HTTP/1.1
> Host: <host>:<port>
> User-Agent: curl/7.61.1
> Accept: */*

I don't seem to be able to disable this OPTIONS request in Tomcat.

The following configuration doesn't work either:

    <deny-uncovered-http-methods />

    <!-- The below configuration permits only GET and POST HTTP methods -->
    <security-constraint>
                <web-resource-collection>
                                <web-resource-name>Available HTTP \
methods</web-resource-name>  <url-pattern>/*</url-pattern>
                                <http-method>GET</http-method>
                                <http-method>POST</http-method>
                </web-resource-collection>
    </security-constraint>

The above section properly disables OPTIONS request to '/' path, but not to '*' path. \
In fact, the Tomcat response is that all methods are allowed:

$ curl -v --request-target "*" -X OPTIONS \
                http://<host>:<port><http://%3chost%3e:%3cport%3e>
* Rebuilt URL to: http://<host>:<port>/<http://%3chost%3e:%3cport%3e/>
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   \
                Trying <ip>...
* TCP_NODELAY set
* Connected to <host> (<ip>) port <port> (#0)
> OPTIONS * HTTP/1.1
> Host: <host>:<port>
> User-Agent: curl/7.61.1
> Accept: */*
> 
< HTTP/1.1 200
< Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS
< Content-Length: 0
< Date: Tue, 30 Apr 2024 18:49:07 GMT
<
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Connection #0 to host <host> left intact

Note that it is impossible to put '*' as URL pattern - Tomcat fails to start \
complaining that '*' is not a valid url pattern.

Please confirm if this is a bug in Tomcat or if I am missing something in Tomcat \
configuration.

Thanks,
Oleg Frenkel
SS&C Technologies Inc
Lead Software Engineer
ofrenkel@sscinc.com<mailto:ofrenkel@sscinc.com> | \
www.ssctech.com<www.ssctech.com_&d" rel="nofollow">https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ssctech.com_&d> \
=DwMGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=H1E6BDt7udWrYMy7FYNqgq8v_e8Ouh5Im7HEUfGqRTU&m=2Vd_L \
k6IeTWiXmGUawzSAORwx6rTi3hj7DxHIhGhgmo&s=wstOGdtl7UtrxUl5TBYyTeMOl5xYLMRGr8EnUkZtGsU&e=>




[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic