Removing 'Allow' response header

Question

I have a web-app developed using Spring-MVC, Spring-Security and hosted on Tomcat 7. As a security measure, I have also whitelisted only certain HTTP methods in web.xml as follows:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>restricted methods</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method-omission>GET</http-method-omission>
        <http-method-omission>POST</http-method-omission>
        <http-method-omission>DELETE</http-method-omission>
    </web-resource-collection>
    <auth-constraint />
</security-constraint>

At this point, what I would expect is that if I made an excluded http method call to any endpoint, then I would get a 403 response - and this setup works. But the 403 response also includes a "Allow" header as follows:

Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH

Is blacklisting OPTIONS not a supported/recommended thing?
Why is the list of allowed http methods different from what I have configured?
I'm assuming Tomcat is the one adding the Allow header to the response - is that right?
And how can I configure tomcat (or spring if that is adding the header) to not add this header to the response?

I don't believe Tomcat adds the "Allow" header, unless you are getting a `405 Method Not Allowed` response, where the HTTP spec *requires* its presence. — Christopher Schultz, Nov 13 '15 at 22:02
@ChristopherSchultz - if not tomcat, then what could be adding the 403 response with the Allow header? my assumption was that since web.xml has the security constraing, tomcat is probably the one blocking the request. would it still go through spring's filter chain at that point? — ashutosh, Nov 15 '15 at 02:15
It would be helpful to others to mark your question as solved or comment the answer if it didnt work. — Journeycorner, Nov 16 '15 at 20:21

Journeycorner · Answer 1 · 2015-11-15T10:10:21.883

0

You could turn of the default values and rather use a white list, which is safer than your black list approach:

<headers defaults-disabled="true">
    yourheaders...
</headers>

For fine tuning the documentation might help.

Update (exlude path completely):

<http auto-config="true" security="none">
  <intercept-url pattern="/**" method="OPTIONS" />
</http>

edited Nov 15 '15 at 10:10

answered Nov 13 '15 at 12:29

Journeycorner

2,474
3
19
43

So is it Spring adding the "Allow" header in this case? I would have thought that since OPTIONS is not whitelisted in web.xml, the request should not even get to spring.. – ashutosh Nov 15 '15 at 02:13
"the request should not even get to spring" - my posted code is about dealing with response headers. To ignore certains methods from spring security completely, see: http://stackoverflow.com/a/32722871/3698894. I added some code, not sure if it works since I am more familliar with java configs. – Journeycorner Nov 15 '15 at 10:08
I have tried defaults-disabled in my spring security configuration and that does not help - I still get the "Allow" header in the response. I don't want the "Allow" header to be part of the response since the response has a 403 status code. – ashutosh Nov 17 '15 at 04:54
Also you are providing a solution in spring security configuration - so is your assertion that the response Allow header is being added by spring security? Would the security-constraint configuration in web.xml not cut off the OPTIONS request even before it reaches spring? – ashutosh Nov 17 '15 at 04:55

Removing 'Allow' response header

1 Answers1