Spring framework: HTTP OPTIONS returning all METHODS (get, put, post, delete, trace, head, options)

StackOverflow https://stackoverflow.com/questions/23412463

Question

I wrote a spring web application. Pretty solid except for one thing. The application returns an HTTP OPTIONS request with response that is "Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS" but that's not true, only GET and POST are allowed. The others operations, (other than GET and POST) are returning "operation not supported" error 405 and server name and version...etc. The security team didn't like the fact that all details of the server are returned with the "Not supported" error message.

I spent a lot of time trying to override that error page or introduce a custom error page for 405... but I was not successful. And I spent my whole day trying to disable the HTTP OPTIONS. Without success. Just one more detail, I run curl statements to test:

curl "http://localhost:8080/webappX/welcome.htm" -X PUT -v

And my app returns:

HTTP Status 405 - Request method 'PUT' not supported
Tomcat/6.0...etc

Since this data (tomcat version, server info, and response metadata) might be used for security attacks, how can I create a custom 405 page that hides details of my server and gives a very minimal error page? Or how can I disable PUT, DELETE, TRACE, OPTIONS, HEAD so tomcat might just ignore them or not provide an internal information about my server.

Thank you

Was it helpful?

Solution

You can register and use an Interceptor that will catch all the requests to the app, if the method is other than GET/POST, simply redirect to an error page of your choosing / send an error response.

public class MyInterceptor extends HandlerInterceptorAdapter{

    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {

        if (!request.getMethod().equalsIgnoreCase("POST") && !request.getMethod().equalsIgnoreCase("GET")) {
            // Not a POST/GET - send error and return false
            response.sendError(HttpServletResponse.SC_FORBIDDEN, "Unauthorized Request");
            return false;
        } else {
            return true;
        }
    }


}

to register the interceptor, add this to your spring xml configuration file

<mvc:interceptors>
<mvc:interceptor>
    <mvc:mapping path="/**" />
    <bean class="your.package.MyInterceptor" />
</mvc:interceptor>
</mvc:interceptors>
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top