I have inherited a war file that uses jetty. I want to disable HTTP methods options.
I'm not familiar with the jetty server. Please help me in disabling HTTP methods in step
That's supported by the standard Servlet spec.
Edit the war's WEB-INF/web.xml and add a security constraint against the url-patterns to reject OPTIONS method on.
Example.
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<!-- ... other configurations ... -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted HTTP Methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
</web-app>