Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Shiv Ranjan (ShivRanjan_PCLSA8) Deutsche Telekom Services Europe SE Pega Advisor (Senior Technology Architect)
Deutsche Telekom Services Europe SE
DE
ShivRanjan_PCLSA8 Member since 2017 14 posts
Deutsche Telekom Services Europe SE
Posted: Nov 13, 2018
Last activity: Feb 26, 2019
Posted: 13 Nov 2018 7:35 EST
Last activity: 26 Feb 2019 0:05 EST
Closed

Dangerous HTTP method enabled

Could you please assist here to disable dangerous HTTP Method ?

Security
Posted: 5 years ago
Posted: 19 Nov 2018 11:45 EST
Brad Tainter (Br@dTainter_GCS) PEGA Fellow, Technical Support, Platform Service
Pegasystems Inc.
US

Hi,

Take a look at the following document:  https://docs.oracle.com/javaee/6/tutorial/doc/gmmku.html

The simplest way to ensure that you deny all HTTP methods except those that you want to be permitted is to use http-method-omission elements to omit those HTTP methods from the security constraint, and also to define an auth-constraint that names no roles. The security constraint will apply to all methods except those that were named in the omissions, and the constraint will apply only to the resources matched by the patterns in the constraint.

Show More

Hi,

Take a look at the following document:  https://docs.oracle.com/javaee/6/tutorial/doc/gmmku.html

The simplest way to ensure that you deny all HTTP methods except those that you want to be permitted is to use http-method-omission elements to omit those HTTP methods from the security constraint, and also to define an auth-constraint that names no roles. The security constraint will apply to all methods except those that were named in the omissions, and the constraint will apply only to the resources matched by the patterns in the constraint.

For example, the following constraint excludes access to all methods except GET and POST at the resources matched by the pattern /company/*:


<!-- SECURITY CONSTRAINT #5 -->
<security-constraint>
    <display-name>Deny all HTTP methods except GET and POST</display-name>
    <web-resource-collection>
        <url-pattern>/company/*</url-pattern>
        <http-method-omission>GET</http-method-omission>
        <http-method-omission>POST</http-method-omission>
    </web-resource-collection>
    <auth-constraint/>
</security-constraint>

Show Less
Posted: 4 years ago
Posted: 26 Feb 2019 0:05 EST
Vidyaranjan AV (Vidyaranjan) Senior Online Community Moderator
Pegasystems Inc.
IN

Hi,

Thank you for posting your query in the PSC. This looks like an inactive post and hence, we suggest you create a new post for your query. Click on the Write Post button here. Once created, please reply back here with the URL of the new post.

You may also refer this discussion link as a reference in the new thread.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice