Disabling OPTIONS and DELETE in Apache

Classic Servoy
1

Hey Folks,

Our compliance and security team regularly scans all servers for potential security leaks. They want the OPTIONS and DELETE disabled on the Servoy app server. After searching for a while - I found the snippet I was looking for:

<security-constraint>
     <web-resource-collection>
          <web-resource-name>Forbidden</web-resource-name>
          <url-pattern>/*</url-pattern>
          <http-method>OPTIONS</http-method>
          <http-method>DELETE</http-method>
     </web-resource-collection>
     <auth-constraint />
</security-constraint>

I’m not sure where to place it in the web.xml config file… when I try to just place it at the end - the service won’t start - with this error:

ERROR [WrapperSimpleAppMain] com.servoy.j2db.util.Debug - Cannot load mime type mappings from web.xml: 
org.xml.sax.SAXParseExceptionpublicId: C:\Servoy_7_4\application_server\server\conf\web.xml; lineNumber: 4668; columnNumber: 2; The markup in the document following the root element must be well-formed.
	at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source)
	at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.fatalError(Unknown Source)
	at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(Unknown Source)
	at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(Unknown Source)
	at com.sun.org.apache.xerces.internal.impl.XMLScanner.reportFatalError(Unknown Source)
	at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$TrailingMiscDriver.next(Unknown Source)
	at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(Unknown Source)
	at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(Unknown Source)
	at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
	at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
	at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
	at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(Unknown Source)
	at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(Unknown Source)
	at com.servoy.j2db.server.main.Zrb.Za(Zrb.java:18)
	at com.servoy.j2db.server.main.ApplicationServer.Za(ApplicationServer.java:321)
	at com.servoy.j2db.server.main.ApplicationServer.Za(ApplicationServer.java:97)
	at com.servoy.j2db.server.main.Zob.start(Zob.java:49)
	at com.servoy.j2db.server.main.ApplicationServer.main(ApplicationServer.java:641)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at org.tanukisoftware.wrapper.WrapperSimpleApp.run(WrapperSimpleApp.java:238)
	at java.lang.Thread.run(Unknown Source)

This is Servoy 7.4.10 on Java 1.8.0_221 on Windows Server 2008

Any help would be greatly appreciated!

Bob

2

Hi Bob,

right at the end of the file, is not the correct position I believe.
The web.xml file starts with tag and also has to end with that.
Positioning in between those tags should be good, but personally I’d put it above the mime type mappings.

Tried this in developer, and seems to work.

3

Marc, you sir, are a gentleman and scholar!

WORKED.

THANK YOU! I appreciate your help!!

Bob