How to explicitly block HTTP method PUT or DELETE from Tomcat used by catalog ?

Document ID : KB000016115
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Catalog is using tomcat server .  HTTP Methods PUT DELETE and OPTIONS from tomcat are unsafe .  It needs to be blocked to avoid Cyber attacks .  

Question:

How to explicitly block unsafe HTTP Methods PUT DELETE and OPTIONS from tomcat used by catalog ?

Environment:
catalog 12.9, 14.1 ,17.0
Answer:
Note :  With recent Tomcat version ( for example ,  Tomcat6 , Tomcat 7 ) ,  by default configuration , method  PUT  or DELETE should be  blocked already .    To check and verify if Tomcat Method PUT or Delete is blocked or not ,  you can check  the techdoc TEC1916899 . 
 
 
In case  it is not blocked ,  you can  do the following to explicitly block HTTP Methods PUT  and DELETE and OPTIONS from Tomcat that catalog is using :
1)  first ,  please make a backup copy of web.xml  (  it is under USM_HOME\view\webapps\usm\WEB-INF\  folder on catalog server before you modify it . 
2)  edit web.xml via notepad++  ,  add the following highlighted lines ( in yellow )  into the following section  :
 
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" metadata-complete="true">
 
<display-name>CA Service View</display-name>
<distributable />
<absolute-ordering />
 
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>TRACE</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
 
<context-param>
<param-name>slcmContextConfigLocation</param-name>
 
then save it  
 
3)   recycle catalog service to pick up this change . 

 

Additional Information: