How to disable OPTIONS method or at least have it report correct Allow
We have several customers who are paranoid about their security and are running vulnerability tests against our application which is using Glassfish v3.0.1. They are complaining about methods like 'OPTIONS / HTTP/1.0' are showing that all the methods (GET,POST,PUT,DELETE,TRACE,OPTIONS) are allowed.
In reality TRACE is disabled via the attribute trace-enabled="false".
And the PUT and DELETE methods appear to be magically disabled.
But to satisfy these folks I really need to either have OPTIONS report the correct "Allows" or have OPTIONS disabled.
I have tried using the following constraint which points to a non-existent role in my default-web.xml file but it appears to have no affect.
Any clues, suggestions, pointers?