I'm trying to disable HTTP PUT on my Glassfish v2.1 AS. The network security scanner tool I'm using detects that HTTP PUT is enabled and flags it as vulnerability. We don't need to use PUT, so I liked to lock down the configuration and clear the vulnerability. I've done some research and testing and here is what I found.
When configuring a Web Application that is mostly servlet based, I can add [b]Security Constraints[/b] in the [b]web.xml[/b] file. So this is what I came up with, which to put in words is saying I'm constraining the HTTP PUT for all URLs without regard to authentication or users. Is that a correct interpretation?
[code]
<security-constraint>
<display-name>Lock Down HTTP Put</display-name>
<web-resource-collection>
<web-resource-name>LockDownPut</web-resource-name>
<description>Disable HTTP Put for all web resources.</description>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
</web-resource-collection>
</security-constraint>
[/code]
Also, I found that I can include this same security constraint in the domain's [b]default-web.xml[/b] file and have it apply to all web applications on the server. Having looked through default-web.xml, I also discovered configuration for two other servlets: default, and jsp. These both have configuration values to enable HTTP methods and the comments above the actual xml elements document the options well. For the default servlet the configuration was read-only, which disables PUT and DELETE. For the jsp servlet the configuration was "ALL METHODS".
With the above knowledge I wanted to test whether I could disable HTTP PUT. My test is a simple java.net.HttpURLConnection that I set the request method to "OPTIONS" and then I print out the header information of the response (source below). When I test against my web application the "Allow" header property does not include PUT or DELETE, but if I test against a static resource (like the URL in the source code), then all the HTTP methods are allowed. I want an HTTP OPTIONS request to not return PUT. Any ideas?
[code]
public void testHttp() {
try {
String type = "text/plain;charset=UTF-8";
URL url = new URL("
http://192.168.0.1:8080/");
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
conn.setDoOutput(true);
conn.setRequestMethod("OPTIONS");
conn.setRequestProperty("Content-Type", type);
System.out.println(String.format("HTTP %d: %s",
conn.getResponseCode(), conn.getResponseMessage()));
for(String header : conn.getHeaderFields().keySet() ){
System.out.println(String.format("%s : %s",
header, conn.getHeaderFields().get(header)));
}
} catch (Exception e) {
e.printStackTrace();
}
}
[/code]
For the record when setting the default servlet to read-only, a direct HTTP PUT will elicit a HTTP 403 Forbidden response, so I might conclude the scanner tool is given a false positive, but I think I can do better, by not advertising HTTP PUT as an option.
Also, I am going to further investigate the default servlet, which is an instance of org.apache.catalina.servlets.DefaultServlet. It must be handling my requests to static resources, and the jsp servlet to my web application's servlet (or default is forwarding to jsp, does someone know?), even though the URL pattern is "*.jspx". My suspicion here is because I configured jsp to only allow certain HTTP methods and I only saw those methods advertised when I hit my servlet's URL.
[Message sent by forum member 'martin_woolstenhulme' (martin_woolstenhulme)]
http://forums.java.net/jive/thread.jspa?messageID=339199