Disabling OPTIONS and DELETE in Apache

Questions and Answers on installation, deployment, management, locking, tranasactions of Servoy Application Server

Disabling OPTIONS and DELETE in Apache

Postby bcusick » Wed Aug 28, 2019 3:53 pm

Hey Folks,

Our compliance and security team regularly scans all servers for potential security leaks. They want the OPTIONS and DELETE disabled on the Servoy app server. After searching for a while - I found the snippet I was looking for:

Code: Select all
<security-constraint>
     <web-resource-collection>
          <web-resource-name>Forbidden</web-resource-name>
          <url-pattern>/*</url-pattern>
          <http-method>OPTIONS</http-method>
          <http-method>DELETE</http-method>
     </web-resource-collection>
     <auth-constraint />
</security-constraint>


I'm not sure where to place it in the web.xml config file.... when I try to just place it at the end - the service won't start - with this error:

Code: Select all
ERROR [WrapperSimpleAppMain] com.servoy.j2db.util.Debug - Cannot load mime type mappings from web.xml:
org.xml.sax.SAXParseExceptionpublicId: C:\Servoy_7_4\application_server\server\conf\web.xml; lineNumber: 4668; columnNumber: 2; The markup in the document following the root element must be well-formed.
   at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source)
   at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.fatalError(Unknown Source)
   at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(Unknown Source)
   at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(Unknown Source)
   at com.sun.org.apache.xerces.internal.impl.XMLScanner.reportFatalError(Unknown Source)
   at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$TrailingMiscDriver.next(Unknown Source)
   at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(Unknown Source)
   at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(Unknown Source)
   at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
   at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
   at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
   at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(Unknown Source)
   at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(Unknown Source)
   at com.servoy.j2db.server.main.Zrb.Za(Zrb.java:18)
   at com.servoy.j2db.server.main.ApplicationServer.Za(ApplicationServer.java:321)
   at com.servoy.j2db.server.main.ApplicationServer.Za(ApplicationServer.java:97)
   at com.servoy.j2db.server.main.Zob.start(Zob.java:49)
   at com.servoy.j2db.server.main.ApplicationServer.main(ApplicationServer.java:641)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
   at java.lang.reflect.Method.invoke(Unknown Source)
   at org.tanukisoftware.wrapper.WrapperSimpleApp.run(WrapperSimpleApp.java:238)
   at java.lang.Thread.run(Unknown Source)


This is Servoy 7.4.10 on Java 1.8.0_221 on Windows Server 2008

Any help would be greatly appreciated!

Bob
Bob Cusick
bcusick
 
Posts: 1255
Joined: Wed Apr 23, 2003 11:27 pm
Location: Thousand Oaks, CA USA

Re: Disabling OPTIONS and DELETE in Apache

Postby mboegem » Thu Aug 29, 2019 10:17 pm

Hi Bob,

right at the end of the file, is not the correct position I believe.
The web.xml file starts with <web-app> tag and also has to end with that.
Positioning in between those tags should be good, but personally I'd put it above the mime type mappings.

Tried this in developer, and seems to work.
Marc Boegem
Solutiative / JBS Group, Partner
• Servoy Certified Developer
• Servoy Valued Professional
• Freelance Developer

Image

Partner of Tower - The most powerful Git client for Mac and Windows
User avatar
mboegem
 
Posts: 1742
Joined: Sun Oct 14, 2007 1:34 pm
Location: Amsterdam

Re: Disabling OPTIONS and DELETE in Apache

Postby bcusick » Fri Aug 30, 2019 3:08 pm

Marc, you sir, are a gentleman and scholar!

WORKED.

THANK YOU! I appreciate your help!!

Bob
Bob Cusick
bcusick
 
Posts: 1255
Joined: Wed Apr 23, 2003 11:27 pm
Location: Thousand Oaks, CA USA


Return to Servoy Server

Who is online

Users browsing this forum: No registered users and 7 guests