10

I had developed rest API on spring boot application. The APIs accept only GET , and POST , but on requesting using OPTIONS method , API responding 200 status (instead of 405). I googled this issue , but none of the solution was springboot based .

Response:

Allow: OPTIONS, TRACE, GET, HEAD, POST
Public: OPTIONS, TRACE, GET, HEAD, POST

Need to disable OPTIONS method.

Tanay Mathur
  • 379
  • 2
  • 5
  • 16
  • @dur Please ignore the server part. Actually I cant show the full response as its classified . So I just added similar type of response . Hope you can understand – Tanay Mathur Mar 04 '17 at 13:23

4 Answers4

18

Previous answer is for tomcat only, so adding mine as well. You can disable the method cross-container by, for example, using a standard servlet filter:

import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest; 
import javax.servlet.http.HttpServletResponse; 

import org.springframework.stereotype.Component;     
import org.springframework.web.filter.OncePerRequestFilter; 

@Component
public class MethodFilter extends OncePerRequestFilter { 

    @Override 
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) 
                    throws ServletException, IOException { 
        if (request.getMethod().equals("OPTIONS")) {
            response.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
        } else { 
            filterChain.doFilter(request, response); 
        } 
    }
}

Note: it is assumed that this class is componentscanned by Spring. If not, you can use other registration methods as detailed in here.

eis
  • 51,991
  • 13
  • 150
  • 199
  • This filter does not seem to work if you want to disable TRACE method – SpartanX1 Nov 03 '21 at 10:56
  • @SpartanX1 depends on what you mean by disabling. it should certainly block its use, however TRACE would still be visible in OPTIONS output – eis Nov 03 '21 at 12:21
  • You should add return statement after response.sendError(). Otherwise OPTIONS works as it is, just changes the response code – Naresh Muthyala May 03 '23 at 11:31
  • @NareshMuthyala the method ends there, a return statement would not change anything – eis May 16 '23 at 12:58
3

Try this; in allowedMethods you can filter methods which are required:

@Configuration
public class CorsConfiguration {

    @Bean
    public WebMvcConfigurer corsConfigurer() {
        return new WebMvcConfigurerAdapter() {
            @Override
            public void addCorsMappings(CorsRegistry registry) {
                registry.addMapping("/**")
                        .allowedOrigins(origins u want to allow)
                        .allowCredentials(false).allowedMethods("POST", "GET", "PUT");

            }
        };
    }
}
Druckles
  • 3,161
  • 2
  • 41
  • 65
chaitra
  • 31
  • 1
2

I tried this and it worked.

@Bean
public EmbeddedServletContainerCustomizer containerCustomizer() {
    return new EmbeddedServletContainerCustomizer() {
        @Override
        public void customize(ConfigurableEmbeddedServletContainer container) {
            if (container.getClass().isAssignableFrom(TomcatEmbeddedServletContainerFactory.class)) {
                TomcatEmbeddedServletContainerFactory tomcatContainer = (TomcatEmbeddedServletContainerFactory) container;
                tomcatContainer.addContextCustomizers(new ContextSecurityCustomizer());
            }
        }
    };
}

private static class ContextSecurityCustomizer implements TomcatContextCustomizer {
    @Override
    public void customize(Context context) {
        SecurityConstraint constraint = new SecurityConstraint();
        SecurityCollection securityCollection = new SecurityCollection();
        securityCollection.setName("restricted_methods");
        securityCollection.addPattern("/*");
        securityCollection.addMethod(HttpMethod.OPTIONS.toString());
        constraint.addCollection(securityCollection);
        constraint.setAuthConstraint(true);
        context.addConstraint(constraint);
    }
}
Tanay Mathur
  • 379
  • 2
  • 5
  • 16
0

If you are using spring security, you can use the method below:

@Bean
public HttpFirewall configureFirewall() {
   StrictHttpFirewall strictHttpFirewall = new StrictHttpFirewall();
   strictHttpFirewall.setAllowedHttpMethods(Arrays.asList("GET","POST","OPTIONS"));
   return strictHttpFirewall;
}
kwlim
  • 1
  • 2