It really took me more than two hours searching over the internet just to understand how to do this simple configuration of disabled the WebDAV methods in apache tomcat 6 for all applications.
Here is how to do it:
In your apache tomcat 6 installation, simply open the file <installation_directory>/conf/web.xml for editing. Note that this web.xml file acts as a global file for all web applications and is processed before the web.xml's web application file.
At the end of the global web.xml file and just before the closing tag place the following text:
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
The above security-constraint simply denies the above WebDAV methods to be processed by tomcat and returns a forbidden message.
The <auth-constraint /> simply means: "For any user, deny access to PUT, DELETE, OPTIONS, and TRACE methods".
Here is how to do it:
In your apache tomcat 6 installation, simply open the file <installation_directory>
At the end of the global web.xml file and just before the closing tag place the following text:
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
The above security-constraint simply denies the above WebDAV methods to be processed by tomcat and returns a forbidden message.
The <auth-constraint /> simply means: "For any user, deny access to PUT, DELETE, OPTIONS, and TRACE methods".
After that, restart apache tomcat 6 using:
<installation_directory>/bin/catalina.sh stop
<installation_directory>/bin/catalina.sh start
To be able to verify that these methods are now forbidden, I used some javascript jquery code:
1. Open firefox with the firebug plugin installed
2. Open a webapplication that has jquery javascript file included within it.
3. Open firebug and select the "Console" tab from firebug
4. Write the following javascript code:
$.ajax({
type: 'DELETE',
url: "http://212.138.70.94",
data: {},
error: function() {alert('ERROR');},
success: function() {alert('SUCCESS');},
});
5. Click the Run button.
6. You should see an alert dialog with the message ERROR and a response in firebug with the following message:
"NetworkError: 403 Forbidden - http://212.138.70.94/"
7. Repeat the above for the OPTIONS, TRACE and PUT methods.
I'm sure there's a simpler way to verify it other than javascript. But I don't know how.
1 comment:
Very Helpful.
I just wanted to restrict users deleting any files and folders on Repository, so had applied the restriction on DELETE method. So users can now add files , rename files but cannot delete files.
- Thanks
Pradip
Post a Comment