This issue exists in 9.0.88 and 10.1.23. I am looking to disable the following HTTP request (note 'OPTIONS *' in the request):
$ curl -v --request-target "*" -X OPTIONS http://<host>:<port><http://%3chost%3e:%3cport%3e> * Rebuilt URL to: <host>:<port>/<http://10-222-42-223.ssnc-corp.cloud:31211/> * Trying <ip>... * TCP_NODELAY set * Connected to <host> (<ip>) port <port> (#0) > OPTIONS * HTTP/1.1 > Host: <host>:<port> > User-Agent: curl/7.61.1 > Accept: */* I don't seem to be able to disable this OPTIONS request in Tomcat. The following configuration doesn't work either: <deny-uncovered-http-methods /> <!-- The below configuration permits only GET and POST HTTP methods --> <security-constraint> <web-resource-collection> <web-resource-name>Available HTTP methods</web-resource-name> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> </security-constraint> The above section properly disables OPTIONS request to '/' path, but not to '*' path. In fact, the Tomcat response is that all methods are allowed: $ curl -v --request-target "*" -X OPTIONS http://<host>:<port><http://%3chost%3e:%3cport%3e> * Rebuilt URL to: http://<host>:<port>/<http://%3chost%3e:%3cport%3e/> % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying <ip>... * TCP_NODELAY set * Connected to <host> (<ip>) port <port> (#0) > OPTIONS * HTTP/1.1 > Host: <host>:<port> > User-Agent: curl/7.61.1 > Accept: */* > < HTTP/1.1 200 < Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS < Content-Length: 0 < Date: Tue, 30 Apr 2024 18:49:07 GMT < 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 * Connection #0 to host <host> left intact Note that it is impossible to put '*' as URL pattern - Tomcat fails to start complaining that '*' is not a valid url pattern. Please confirm if this is a bug in Tomcat or if I am missing something in Tomcat configuration. Thanks, Oleg Frenkel SS&C Technologies Inc Lead Software Engineer ofren...@sscinc.com<mailto:ofren...@sscinc.com> | www.ssctech.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ssctech.com_&d=DwMGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=H1E6BDt7udWrYMy7FYNqgq8v_e8Ouh5Im7HEUfGqRTU&m=2Vd_Lk6IeTWiXmGUawzSAORwx6rTi3hj7DxHIhGhgmo&s=wstOGdtl7UtrxUl5TBYyTeMOl5xYLMRGr8EnUkZtGsU&e=>