A forbidden OPTIONS request to JBoss still receives an Allow header in the 403'd response

Solution Verified - Updated -

Issue

  • We've restricted the OPTIONS method and configured a custom 403 error pages in our application's WEB-INF\web.xml:
        <security-constraint>
          <web-resource-collection>
          <web-resource-name>restricted methods</web-resource-name>
          <url-pattern>/*</url-pattern>
          <http-method>TRACE</http-method>
          <http-method>PUT</http-method>
          <http-method>OPTIONS</http-method>
          <http-method>DELETE</http-method>
          <http-method>HEAD</http-method>
          </web-resource-collection>
          <auth-constraint/>
        </security-constraint>
        <error-page>
          <error-code>403</error-code>
      <location>/403.html</location>
        </error-page>

We get a 403 response for OPTIONS requests now, but we are still seeing an Allow header in the 403'd response

Environment

  • JBoss Enterprise Application Platform (EAP)
    • 5.x
    • 6.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In