Topic
4 replies Latest Post - ‏2012-04-05T12:27:28Z by SystemAdmin
SmartCloudID(KirkBeaty)
3 Posts
ACCEPTED ANSWER

Pinned topic How to DISABLE HTTP Delete Requests

‏2012-04-02T18:05:37Z |
Corporate security scans report that "The HTTP method 'DELETE' is enabled" for the port 80 Websphere sMash application that I have running. This application is a front-end which really has no use for DELETEs and only should accept GET/POST.

I have searched, but not found a way to "DISABLE DELETE" via configuration of sMash.

The Corporate security folks provide examples of disabling DELETE for other web servers but of course not sMash.

Can anyone please advise a method for doing this with sMash ?

Thank you,
Kirk Beaty
Updated on 2012-04-05T12:27:28Z at 2012-04-05T12:27:28Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    9224 Posts
    ACCEPTED ANSWER

    Re: How to DISABLE HTTP Delete Requests

    ‏2012-04-03T13:43:12Z  in response to SmartCloudID(KirkBeaty)
    I don't believe there is a way to force all DELETE requests for all url patterns to return '405 Method Not Allowed' with sMash.

    Our best exception claim for corporate security scanners in this case is that an http DELETE will only execute Delete logic if you've implemented an onDelete() handler or, in the case of ZRM, you've delegated DELETE.
    • SmartCloudID(KirkBeaty)
      3 Posts
      ACCEPTED ANSWER

      Re: How to DISABLE HTTP Delete Requests

      ‏2012-04-03T20:07:37Z  in response to SystemAdmin
      Thanks for the reply, with that as a guide, can't I accomplish the equivalent by doing this:
      Add this to zero.config of the sMash app:

      {
      "events" : ,
      "handler" : "com.ibm.cam.registrar.service.Registrar.class",
      "conditions" : "/request/method == DELETE"
      },
      And in the handler (in this case the Registrar.class) handle it with code such as this:

      public void onDELETE()
      {
      GlobalContext.zput("/request/status", HttpURLConnection.HTTP_FORBIDDEN);
      GlobalContext.zput("/request/error/message", "Method Not Allowed.");
      }
      HTTP_FORBIDDEN is 403 status code, so I can find 405 if that is what is needed .. but point is more to whether this covers the "bases" ?

      What do you think ?

      Thanks!
      Kirk Beaty
  • SmartCloudID(KirkBeaty)
    3 Posts
    ACCEPTED ANSWER

    Re: How to DISABLE HTTP Delete Requests

    ‏2012-04-05T02:45:15Z  in response to SmartCloudID(KirkBeaty)
    The solution seems to work. Thanks for your input.
    • SystemAdmin
      SystemAdmin
      9224 Posts
      ACCEPTED ANSWER

      Re: How to DISABLE HTTP Delete Requests

      ‏2012-04-05T12:27:28Z  in response to SmartCloudID(KirkBeaty)
      Glad that works, Kirk. I think there are still cases where sMash will return a 404 not found instead of blocking a DELETE request at the front door, but if the compliance scanner is OK with that, you should be good.