Page 1 of 1

Disabling OPTIONS and DELETE in Apache

PostPosted: Wed Aug 28, 2019 3:53 pm
by bcusick
Hey Folks,

Our compliance and security team regularly scans all servers for potential security leaks. They want the OPTIONS and DELETE disabled on the Servoy app server. After searching for a while - I found the snippet I was looking for:

Code: Select all
<security-constraint>
     <web-resource-collection>
          <web-resource-name>Forbidden</web-resource-name>
          <url-pattern>/*</url-pattern>
          <http-method>OPTIONS</http-method>
          <http-method>DELETE</http-method>
     </web-resource-collection>
     <auth-constraint />
</security-constraint>


I'm not sure where to place it in the web.xml config file.... when I try to just place it at the end - the service won't start - with this error:

Code: Select all
ERROR [WrapperSimpleAppMain] com.servoy.j2db.util.Debug - Cannot load mime type mappings from web.xml:
org.xml.sax.SAXParseExceptionpublicId: C:\Servoy_7_4\application_server\server\conf\web.xml; lineNumber: 4668; columnNumber: 2; The markup in the document following the root element must be well-formed.
   at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source)
   at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.fatalError(Unknown Source)
   at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(Unknown Source)
   at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(Unknown Source)
   at com.sun.org.apache.xerces.internal.impl.XMLScanner.reportFatalError(Unknown Source)
   at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$TrailingMiscDriver.next(Unknown Source)
   at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(Unknown Source)
   at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(Unknown Source)
   at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
   at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
   at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
   at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(Unknown Source)
   at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(Unknown Source)
   at com.servoy.j2db.server.main.Zrb.Za(Zrb.java:18)
   at com.servoy.j2db.server.main.ApplicationServer.Za(ApplicationServer.java:321)
   at com.servoy.j2db.server.main.ApplicationServer.Za(ApplicationServer.java:97)
   at com.servoy.j2db.server.main.Zob.start(Zob.java:49)
   at com.servoy.j2db.server.main.ApplicationServer.main(ApplicationServer.java:641)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
   at java.lang.reflect.Method.invoke(Unknown Source)
   at org.tanukisoftware.wrapper.WrapperSimpleApp.run(WrapperSimpleApp.java:238)
   at java.lang.Thread.run(Unknown Source)


This is Servoy 7.4.10 on Java 1.8.0_221 on Windows Server 2008

Any help would be greatly appreciated!

Bob

Re: Disabling OPTIONS and DELETE in Apache

PostPosted: Thu Aug 29, 2019 10:17 pm
by mboegem
Hi Bob,

right at the end of the file, is not the correct position I believe.
The web.xml file starts with <web-app> tag and also has to end with that.
Positioning in between those tags should be good, but personally I'd put it above the mime type mappings.

Tried this in developer, and seems to work.

Re: Disabling OPTIONS and DELETE in Apache

PostPosted: Fri Aug 30, 2019 3:08 pm
by bcusick
Marc, you sir, are a gentleman and scholar!

WORKED.

THANK YOU! I appreciate your help!!

Bob