-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot disable HTTP OPTIONS Method #5909
Comments
Specify the constraints in the <!-- ==================================================================== -->
<!-- Disable OPTIONS method with security constraint -->
<!-- ==================================================================== -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Disable OPTIONS</web-resource-name>
<url-pattern>/</url-pattern>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint> |
thanks a lot for your assistance! I will update the web.xml and let you know if any issues. |
@somayedubati please note that |
@sbordet Thanks for your inputs! We will review and make sure that CORS support needed or not before deployment. |
@joakime, I updated the web.xml file but still showing the HTTP OPTIONS as a Vulnerability. do you have any suggestions? |
@somayedubati the url-pattern should probably be |
The problem could be with a |
@janbartel and @gregw , thanks for your assistance! |
@somayedubati Do you know if the check is sending an |
@somayedubati can you try with no url-pattern element at all? |
@somayedubati We have tested the suggestion of @joakime and it is working for us, but it must be on the root context. So perhaps you can try just adding: <security-constraint>
<web-resource-collection>
<web-resource-name>Disable OPTIONS</web-resource-name>
<url-pattern>/</url-pattern>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint> This may deploy with a warning, but should work. |
@somayedubati I would also question the tool you are using that reports
Reporting Maybe |
@gregw , I was using the following based upon application of context. I was getting Forbidden if I use "/" as a context. I will try the new snippet and let you know.
|
@sbordet , I will find out HTTP OPTIONS using. Thanks |
It could be a misinterpretation of the report from your security tool. The |
@janbartel and I have found an issue with this. The main constraint to block OPTIONS works fine, but there is a problem combining the omitted methods as we already have the following in defaultweb.xml: <security-constraint>
<web-resource-collection>
<url-pattern>/</url-pattern>
<http-method-omission>TRACE</http-method-omission>
</web-resource-collection>
</security-constraint> There is some strangeness in how the TRACE and OPTIONS omission constraints are merged. However, we do believe that the following will be sufficient to block all OPTIONS methods unless matched by some other more specific constraint that includes OPTIONS: <security-constraint>
<web-resource-collection>
<web-resource-name>Disable OPTIONS</web-resource-name>
<url-pattern>/</url-pattern>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint> |
Fix #5909 Better handle merged RoleInfo
Signed-off-by: Jan Bartel <janb@webtide.com>
Please assist us for Disable HTTP OPTIONS Method in Jetty-9.4.18.20190429. We are getting this as a Moderate Vulnerability in the scans. Jetty is part of the product we are using the Job Scheduler JOC Cockpit Version 1.13.8.
Thanks and appreciate your help!
The text was updated successfully, but these errors were encountered: