For security compliance, HTTP methods may need to be restricted within Wildfly. By default, only the TRACE method is disabled. The instructions below cover how to disable HEAD, TRACE and OPTIONS methods; however, any space-separated list of HTTP methods will also work. Running a deploy will not revert this change.
- Navigate to the following directory within your Infogix server:
<install-dir>/wildfly/<jvm-name>/configuration
<jvm-name> refers to the JVM/config name chosen during installation. This is commonly IA, II, IV, ER or default. - Edit the standalone-full-ha.xml file
- Add the following property to http-listener and https-listener within the undertow subsystem:
disallowed-methods="HEAD TRACE OPTIONS"
For example, the relevant snippet of the undertow subsystem would look similar to this:<subsystem xmlns="urn:jboss:domain:undertow:3.1">
...
<server name="default-server">
<ajp-listener name="ajp" socket-binding="ajp" max-post-size="0" max-parameters="10000"/>
<http-listener name="default" socket-binding="http" max-post-size="0" max-parameters="10000" redirect-socket="https" enable-http2="true" disallowed-methods="HEAD TRACE OPTIONS"/>
<https-listener name="https" socket-binding="https" max-post-size="0" max-parameters="10000" security-realm="ApplicationRealm" enable-http2="true" disallowed-methods="HEAD TRACE OPTIONS"/>
<host name="default-host" alias="localhost">
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
<single-sign-on/>
</host>
</server>
...
</subsystem> - Restart Wildfly
- If you have multiple JVMs, then these steps will need to be repeated for each JVM directory.
Comments
0 comments
Please sign in to leave a comment.