Re: [EXTERNAL] Disabling OPTIONS HTTP method with * path

Tue, 30 Apr 2024 12:54:04 -0700 

From: Oleg Frenkel <ofren...@sscinc.com>
Sent: Tuesday, April 30, 2024 1:56 PM
To: users@tomcat.apache.org <users@tomcat.apache.org>
Subject: [EXTERNAL] Disabling OPTIONS HTTP method with * path

This issue exists in 9.0.88 and 10.1.23.

I am looking to disable the following HTTP request (note 'OPTIONS *' in the 
request):

$ curl -v --request-target "*" -X OPTIONS 
http://<host>:<port><http://%3chost%3e:%3cport%3e>
* Rebuilt URL to: <host>:<port>/<http://10-222-42-223.ssnc-corp.cloud:31211/>
*   Trying <ip>...
* TCP_NODELAY set
* Connected to <host> (<ip>) port <port> (#0)
> OPTIONS * HTTP/1.1
> Host: <host>:<port>
> User-Agent: curl/7.61.1
> Accept: */*

I don't seem to be able to disable this OPTIONS request in Tomcat.

      Perhaps a CorsFilter setup can help ?

The following configuration doesn't work either:

    <deny-uncovered-http-methods />

    <!-- The below configuration permits only GET and POST HTTP methods -->
    <security-constraint>
                <web-resource-collection>
                                <web-resource-name>Available HTTP 
methods</web-resource-name>
                                <url-pattern>/*</url-pattern>
                                <http-method>GET</http-method>
                                <http-method>POST</http-method>
                </web-resource-collection>
    </security-constraint>

The above section properly disables OPTIONS request to '/' path, but not to '*' 
path. In fact, the Tomcat response is that all methods are allowed:

$ curl -v --request-target "*" -X OPTIONS 
http://<host>:<port><http://%3chost%3e:%3cport%3e>
* Rebuilt URL to: http://<host>:<port>/<http://%3chost%3e:%3cport%3e/>
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* 
  Trying <ip>...
* TCP_NODELAY set
* Connected to <host> (<ip>) port <port> (#0)
> OPTIONS * HTTP/1.1
> Host: <host>:<port>
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 200
< Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS
< Content-Length: 0
< Date: Tue, 30 Apr 2024 18:49:07 GMT
<
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Connection #0 to host <host> left intact

Note that it is impossible to put '*' as URL pattern - Tomcat fails to start 
complaining that '*' is not a valid url pattern.

Please confirm if this is a bug in Tomcat or if I am missing something in 
Tomcat configuration.

Thanks,
Oleg Frenkel
SS&C Technologies Inc
Lead Software Engineer
ofren...@sscinc.com<mailto:ofren...@sscinc.com> | 
www.ssctech.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ssctech.com_&d=DwMGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=H1E6BDt7udWrYMy7FYNqgq8v_e8Ouh5Im7HEUfGqRTU&m=2Vd_Lk6IeTWiXmGUawzSAORwx6rTi3hj7DxHIhGhgmo&s=wstOGdtl7UtrxUl5TBYyTeMOl5xYLMRGr8EnUkZtGsU&e=>

Reply via email to