Hello
Does anyone know how to configure HTTP delete method to return "Forbidden" on the HANA sapwebdispatcher?
For example. Due to security vulnerability, HTTP delete should be disallowed. We have tried editing the file sapwebdisp.pfl and added line:
# Modification of HTTP Requests
icm/HTTP/mod_0 = PREFIX=/,FILE= /sapmnt/HDD/global/security/icm_filter_rules.txt
The icm_filter_rules.txt entry is as below:
# check for forbidden method
if %{REQUEST_METHOD} !stricmp "GET" [AND]
if %{REQUEST_METHOD} !stricmp "POST"
RegForbiddenUrl ^/(.*) -
Restarted the HANA DB,
The above configuration is done referencing http://help.sap.com/saphelp_nwpi71/helpdata/en/48/9266ffaa6b17cee10000000a421937/content.htm.
Sadly when testing/checking this configuration, we see:
#curl --head -X DELETE http://<server>:8000
HTTP/1.1 200 OK
set-cookie: xsSessionId=EFA2BA34B8556E4781A887F387FEE070; path=/; HttpOnly
content-type: text/html
content-length: 12227
cache-control: no-cache
The desired outcome is:
# curl --head -X DELETE http://<server>:8000
HTTP/1.1 403 Forbidden
date: Fri, 05 Oct 2012 23:01:11 GMT
connection: close
content-type: text/html
server: SAP NetWeaver Application Server 8.02 / ICM 8
Any ideas?
Thanks