Hi team, i am trying to fix some security issues in my struts application. Now blocked at issue to block http unused verbs in response. My web.xml is as shown below:
I am trying to block unused http methods (OPTIONS,TRACE,DELETE) using web.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "
http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<display-name>eServices</display-name>
<filter>
<filter-name>sessionvalidator</filter-name>
<filter-class>util.SessionFilter</filter-class>
<init-param>
<param-name>avoid-urls</param-name>
<param-value>/index.jsp</param-value>
</init-param>
</filter>
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
</filter>
<filter-mapping>
<filter-name>sessionvalidator</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<session-config>
<session-timeout>120</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<taglib>
<taglib-uri>/dateFormat</taglib-uri>
<taglib-location>/WEB-INF/tlds/customfunctions.tld</taglib-location>
</taglib>
<security-constraint>
<display-name>Restricted</display-name>
<web-resource-collection>
<web-resource-name>restrictAccess</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
</web-app>
I tried changing different ways but not able to go through.