Resolution
Option 1 -Using RewriteValve (can apply globally)
You can use RewriteValve to disable the http methods. Take a look atdocumentation http://docs.jboss.org/jbossweb/2.1.x/rewrite.html.You will need one RewriteCond directive and one RewriteRule.
In your RewriteCond directive you could specify all methods with use of the REQUEST_METHOD servervariable, for example:
RewriteCond %{REQUEST_METHOD} ^(PUT|DELETE|TRACE|OPTIONS)$ [NC]
then your RewriteRule can mark those as forbidden (it immediately sends back aHTTP response of 403 (FORBIDDEN)), for example:
RewriteRule .* - [F]
For EAP6:
RewriteValve can be configured asglobal valve in domain.xml or standalone.xml. You can add the
.. ..
.. ..
Option 2 - web.xml Security constraints(per WAR)
This can be done by adding security constraints to theapplication's web.xml. For example:
.. ..
.. ..
In the above example, access the following http requests DELETE, PUT, OPTIONS, POST aredisabled by default.
You can also restrict all methods other than explicitlyallowed ones by doing like:
.. ..
.. ..
See the Java ServletSpecification and also The Java EE 5Tutorial - "Declaring Security Requirements in a DeploymentDescriptor" for more information.
Option 3 -Using Apache httpd mod_rewrite in front of JBoss
If you are fronting JBoss with Apache httpd, you can alsoapply the above rewrite rules in the httpd.conf.:
For example:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(PUT|DELETE|TRACE|OPTIONS)$ [NC]
RewriteRule .* - [F]
To verify theabove configuration:
You can use curl command to test if the configuration change iseffective: For example:
curl -v -XTRACE http://hostname:port/appContext
curl -v -XDELETE http://hostname:port/appContex