[prev in list] [next in list] [prev in thread] [next in thread]
List: tomcat-user
Subject: Re: [EXTERNAL] Disabling OPTIONS HTTP method with * path
From: Joey Cochran <Joey.Cochran () mtsu ! edu>
Date: 2024-04-30 19:53:00
Message-ID: BN8PR02MB5778C15554FFB12D096B62B6F21A2 () BN8PR02MB5778 ! namprd02 ! prod ! outlook ! com
[Download RAW message or body]
[Attachment #2 (text/plain)]
From: Oleg Frenkel <ofrenkel@sscinc.com>
Sent: Tuesday, April 30, 2024 1:56 PM
To: users@tomcat.apache.org <users@tomcat.apache.org>
Subject: [EXTERNAL] Disabling OPTIONS HTTP method with * path
This issue exists in 9.0.88 and 10.1.23.
I am looking to disable the following HTTP request (note 'OPTIONS *' in the request):
$ curl -v --request-target "*" -X OPTIONS \
http://<host>:<port><http://%3chost%3e:%3cport%3e>
* Rebuilt URL to: <host>:<port>/<http://10-222-42-223.ssnc-corp.cloud:31211/>
* Trying <ip>...
* TCP_NODELAY set
* Connected to <host> (<ip>) port <port> (#0)
> OPTIONS * HTTP/1.1
> Host: <host>:<port>
> User-Agent: curl/7.61.1
> Accept: */*
I don't seem to be able to disable this OPTIONS request in Tomcat.
Perhaps a CorsFilter setup can help ?
The following configuration doesn't work either:
<deny-uncovered-http-methods />
<!-- The below configuration permits only GET and POST HTTP methods -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Available HTTP \
methods</web-resource-name> <url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>
The above section properly disables OPTIONS request to '/' path, but not to '*' path. \
In fact, the Tomcat response is that all methods are allowed:
$ curl -v --request-target "*" -X OPTIONS \
http://<host>:<port><http://%3chost%3e:%3cport%3e>
* Rebuilt URL to: http://<host>:<port>/<http://%3chost%3e:%3cport%3e/>
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* \
Trying <ip>...
* TCP_NODELAY set
* Connected to <host> (<ip>) port <port> (#0)
> OPTIONS * HTTP/1.1
> Host: <host>:<port>
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 200
< Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS
< Content-Length: 0
< Date: Tue, 30 Apr 2024 18:49:07 GMT
<
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Connection #0 to host <host> left intact
Note that it is impossible to put '*' as URL pattern - Tomcat fails to start \
complaining that '*' is not a valid url pattern.
Please confirm if this is a bug in Tomcat or if I am missing something in Tomcat \
configuration.
Thanks,
Oleg Frenkel
SS&C Technologies Inc
Lead Software Engineer
ofrenkel@sscinc.com<mailto:ofrenkel@sscinc.com> | \
www.ssctech.com<www.ssctech.com_&d" rel="nofollow">https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ssctech.com_&d> \
=DwMGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=H1E6BDt7udWrYMy7FYNqgq8v_e8Ouh5Im7HEUfGqRTU&m=2Vd_L \
k6IeTWiXmGUawzSAORwx6rTi3hj7DxHIhGhgmo&s=wstOGdtl7UtrxUl5TBYyTeMOl5xYLMRGr8EnUkZtGsU&e=>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic