WebLogic Server Domain: How To Disable the HTTP methods other than GET and POST (such as PUT, DELETE, etc.)
The objective is to disable the HTTP methods other than GET and POST (such as PUT, DELETE etc.) in a WebLogic Server domain.
We can restrict the access to HTTP methods such as PUT or DELETE using security constraints in the <application_name>/WEB-INF/web.xml:
<security-constraint> <display-name>Constraint-0</display-name> <web-resource-collection> <web-resource-name>mytest</web-resource-name> <description>Test</description> <url-pattern>/*</url-pattern> <http-method>PUT</http-method> <http-method>DELETE</http-method> </web-resource-collection> <auth-constraint> <role-name>NONE</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint>
Note: There is no option in WebLogic Server to disable them across the entire server because the specifications require that the application server allows all the HTTP methods.
The onus is on the application to actually restrict the HTTP methods. The way we do this is by providing the security constraints in the web.xml file.
A possible workaround for imposing these restrictions across multiple applications is to route all initial traffic through a WLS virtual host with a web application at the default context path that then proxies to the other web applications on the same server, which may not necessarily be all on the same virtual host. Note that this approach would not be very efficient as it would require multiple threads per request.
You may also use Oracle HTTP Server (or Apache) as a proxy where internet users are only able to access through the proxy.