Restricting the use of HTTP methods

Using certain HTTP methods can reveal the internal server configuration to outsiders, which makes your web applications more vulnerable. To restrict or forbid insecure or verbose HTTP methods such as OPTIONS and TRACE, you must make changes in the web.xml file of your web application.

You can specify a security constraint for HTTP methods in the web.xml file. See the following example that restricts two methods, OPTIONS and TRACE:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>restricted methods</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>OPTIONS</http-method>
        <http-method>TRACE</http-method>
    </web-resource-collection>
    <auth-constraint/>
</security-constraint>

Table 1. Description of the tags
Tag	Description
`<http-method>`	You specify an HTTP method that you want to restrict. You can specify one method in each set of tags.
`<auth-constraint/>`	This tag in the example indicates that no role can access the specified methods and these methods are forbidden.
`<url-pattern>`	You specify a URL pattern. If you specify a URL pattern instead of `/*`, the security constraint is applied to the URL pattern with specified HTTP methods.

You can change the setting of the <auth-constraint> tag and allow specific roles to access the restricted methods. See the following example:

<auth-constraint>
   <role-name>manager</role-name>
</auth-constraint>

The manager role has access to the methods here.