Home / server / Questions / 108989
Accepted
rbrayb
Asked: 2010-02-03 17:14:11 +0800 CST

How to disable HTTP options on Sun servers

  • 772

Using BURP to send a

OPTIONS * HTTP/1.0

request to Sun Web Server 7.0 returns:

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Wed, 03 Feb 2010 01:05:14 GMT
Allow: HEAD, GET, PUT, POST, DELETE, TRACE, OPTIONS, MOVE, INDEX, MKDIR, RMDIR, COPY, CONNECT, PROPFIND, PROPPATCH, MKCOL, LOCK, UNLOCK, ACL, REPORT, VERSION-CONTROL, CHECKOUT, CHECKIN, UNCHECKOUT, MKWORKSPACE, UPDATE, LABEL, MERGE, BASELINE-CONTROL, MKACTIVITY, SEARCH, SUBSCRIBE, UNSUBSCRIBE, NOTIFY, POLL, BDELETE, BCOPY, BMOVE, BPROPPATCH, BPROPFIND

and to GlassFish Enterprise Server v2.1 returns :

HTTP/1.1 200 OK
X-Powered-By: Servlet/2.5
Server: Sun GlassFish Enterprise Server v2.1
Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS
Date: Wed, 03 Feb 2010 01:10:10 GMT

I would like to trim the HTTP options supported on both servers to something like:

Allow: GET, HEAD, POST, PUT

How to I configure both servers in order to implement this?

http sun http-headers

1 Answers

  1. Best Answer

    Some research gave the following:

    Change the obj.conf file in the config directory of the web server instance (i.e. not the admin-server config directory) and add the "If" below.

    <Object name="default">
<If $method = "TRACE" or $method = "OPTIONS">
AuthTrans fn="set-variable" error="501"
</If>
AuthTrans fn="match-browser" browser="*MSIE*" ssl-unclean-shutdown="true"
NameTrans fn="ntrans-j2ee" name="j2ee"

    This tells the server to respond to such requests with a 501 error.

    The actual response is:

    HTTP/1.1 501 Not Implemented
    Server: Sun-Java-System-Web-Server/7.0
    Date: Mon, 22 Feb 2010 20:04:21 GMT
    Content-length: 148 Content-type:
    text/html Connection: close

    Not Implemented

    Not Implemented

    This server does not implement the requested method.

    • 0