Hi.
I'm using Tomcat 5.5.23 on Windows XP Pro. I have a Java application that
uses spring and acegi for security and configuration. I only want the GET,
POST and HEAD HTTP methods to be allowed, so I have added the following to
various web.xml and nothing seems to work.
<security-constraint>
<web-resource-collection>
<web-resource-name>DisabledMethods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
<http-method>TRACE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
If I make requests to the application running at "/cp" I get a 500 error
back from the app for DELETE and PUT, not the 403 I would assume. If I add
GET and POST to this list then I do get a 403 error back for GET and POST,
but continue to get the 500 internal server error for DELETE and PUT. And I
can see that those methods were called on the application, though the
servlet doesn't define methods for them.
I also added a simple index.html file at the ROOT "/" and made HTTP requests
on it. I get 403 error back for all the specified methods above. So it
appears to work for ROOT "/".
I have added to the tomcat web.xml in <tomcat home>/conf as well as the
application's WEB-INF directory. I have removed our SSL forwarding in case
that is causing a problem (since GET and POST are using SSL forwarding) and
I still get the same results.
Any ideas?
Thanks!
Lori Ronning
Senior Software Engineer
Translations.com
[EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
