We have several customers who are paranoid about their security and are running vulnerability tests against our application which is using Glassfish v3.0.1. They are complaining about methods like 'OPTIONS / HTTP/1.0' are showing that all the methods (GET,POST,PUT,DELETE,TRACE,OPTIONS) are allowed.
In reality TRACE is disabled via the <http> attribute trace-enabled="false".
And the PUT and DELETE methods appear to be magically disabled.
But to satisfy these folks I really need to either have OPTIONS report the correct "Allows" or have OPTIONS disabled.
I have tried using the following constraint which points to a non-existent role in my default-web.xml file but it appears to have no affect.
<security-constraint>
<web-resource-collection>
<web-resource-name>SecureIt</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>DELETE</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>NoOne</role-name>
</auth-constraint>
</security-constraint>
Any clues, suggestions, pointers?
Joey
[Message sent by forum member 'hotngui']
http://forums.java.net/jive/thread.jspa?messageID=475563