How to disable HTTP options on Sun servers

httphttp-headerssun

Using BURP to send a

OPTIONS * HTTP/1.0

request to Sun Web Server 7.0 returns:

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Wed, 03 Feb 2010 01:05:14 GMT
Allow: HEAD, GET, PUT, POST, DELETE, TRACE, OPTIONS, MOVE, INDEX, MKDIR, RMDIR, COPY, CONNECT, PROPFIND, PROPPATCH, MKCOL, LOCK, UNLOCK, ACL, REPORT, VERSION-CONTROL, CHECKOUT, CHECKIN, UNCHECKOUT, MKWORKSPACE, UPDATE, LABEL, MERGE, BASELINE-CONTROL, MKACTIVITY, SEARCH, SUBSCRIBE, UNSUBSCRIBE, NOTIFY, POLL, BDELETE, BCOPY, BMOVE, BPROPPATCH, BPROPFIND

and to GlassFish Enterprise Server v2.1 returns :

HTTP/1.1 200 OK
X-Powered-By: Servlet/2.5
Server: Sun GlassFish Enterprise Server v2.1
Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS
Date: Wed, 03 Feb 2010 01:10:10 GMT

I would like to trim the HTTP options supported on both servers to something like:

Allow: GET, HEAD, POST, PUT

How to I configure both servers in order to implement this?

Best Answer

Some research gave the following:

Change the obj.conf file in the config directory of the web server instance (i.e. not the admin-server config directory) and add the "If" below.

<Object name="default">
<If $method = "TRACE" or $method = "OPTIONS">
AuthTrans fn="set-variable" error="501"
</If>
AuthTrans fn="match-browser" browser="*MSIE*" ssl-unclean-shutdown="true"
NameTrans fn="ntrans-j2ee" name="j2ee"

This tells the server to respond to such requests with a 501 error.

The actual response is:

HTTP/1.1 501 Not Implemented
Server: Sun-Java-System-Web-Server/7.0
Date: Mon, 22 Feb 2010 20:04:21 GMT
Content-length: 148 Content-type:
text/html Connection: close

Not Implemented

Not Implemented
This server does not implement the requested method.

Related Solutions

Apache – How to Dump Entire HTTP Requests

I think what you want instead of Apache might be a packet analyzer, Also known as a packet sniffer. Two of the most popular ones are probably TCPDump and Wireshark, both of which are free and have versions for Windows and *nix operating systems. These will show you all traffic coming in on an interface, not just what Apache sees. But you can use filters to restrict to a specified port, such as 80 for http.

tcpdump:
The following command run from the server will show you all packets destined for port 80:

sudo tcpdump -s 0 -X 'tcp dst port 80'

The capital X switch dumps the payload in hex and ASCII. The s switch with 0 means to get the whole packet. 'tcp dst port 80' means to filter and only show packets destined for port 80 in the tcp header.

Wireshark:
For the more user friendly version, if you have a GUI running, consider wireshark (formally known as ethereal).

The mandatory information a HTTP Request Header must contain

GET / HTTP/1.0 is a legal HTTP request.

If there's no Host header field, you may not get the results you were hoping for if the destination server is a virtual host that doesn't have its own IP address to distinguish itself from other virtual hosts.

HTTP 1.1 requires the Host field.

Best Answer

Not Implemented

Related Solutions

Apache – How to Dump Entire HTTP Requests

The mandatory information a HTTP Request Header must contain

Related Topic