www.rodneybeede.com "I would love to change the world, but they won't give me the source code" - unknown
 Navigation

Restricting HTTP methods in Java J2EE 6 - Last Modified 2013-01-11 20:43 UTC - Created 2013-01-11 20:43 UTC

I found a neat new feature of J2EE 6 which simplifies security configuration of applications. You can now whitelist versus blacklist allowed HTTP methods in your web.xml:
	<security-constraint>
		<web-resource-collection>
			<web-resource-name>Disable unneeded HTTP methods by 403 Forbidden them</web-resource-name>
			<url-pattern>*</url-pattern>
			<http-method-omission>GET</http-method-omission>
			<http-method-omission>HEAD</http-method-omission>
			<http-method-omission>POST</http-method-omission>
		</web-resource-collection>
		<auth-constraint />
	</security-constraint>

Reference: https://blogs.oracle.com/nithya/entry/new_security_features_in_glassfish