13

I'm working on a project of RESTful web services, i'm using Apache Tomcat and JAX-RS.

I want to accept DELETE requests from client but whenever i send a DELETE request from Advanced REST client Chrome plugin it gives response code 403 Forbidden.

So how can i make Apche Tomcat accept DELETE request?

Improve this question
1
  • 1
    Yea i am having the same issues with my setup. I've tried setting the default Servlet to readOnly = false but it's still not helping. For now I've resorted to just using POST + GET Commented Jun 17, 2014 at 20:49

5 Answers 5

Reset to default
14

Tomcat was blocking DELETE methods for me because of my CORS filters.

I needed new filters registered in my web.xml file. Here's an example of a very permissive one:

<filter> <filter-name>CorsFilter</filter-name> <filter-class>org.apache.catalina.filters.CorsFilter</filter-class> <init-param> <param-name>cors.allowed.headers</param-name> <param-value>Accept,Accept-Encoding,Accept-Language,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization,Connection,Content-Type,Host,Origin,Referer,Token-Id,User-Agent, X-Requested-With</param-value> </init-param> <init-param> <param-name>cors.allowed.origins</param-name> <param-value>*</param-value> </init-param> <init-param> <param-name>cors.allowed.methods</param-name> <param-value>GET, POST, PUT, DELETE, OPTIONS, HEAD</param-value> </init-param> </filter> <filter-mapping> <filter-name>CorsFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

3

One more suggestion, double check the URL of your call and make sure it points to your intended servlet.

I got the same error when I mistyped a service URL in my code. I had api/roles/Service/roles when I needed api/rolesService/roles, fixing the typo resolved the error.You would expect a 404, but with DELETE on Tomcat, you get a 403.

Improve this answer

1 Comment

Exactly same issue. This saved my day!
2

Here are the reasons why you can get a 403 Forbidden from Tomcat for a DELETE request:

On each HTTP DELETE request processed by this servlet, the following processing shall be performed:

  • If modifications to the static resources are not allowed (set by a configuration parameter), return HTTP status 403 (forbidden).

  • If an attempt is made to delete a resource from /META-INF or /WEB-INF, return HTTP status 403 (forbidden).

  • If the requested resource does not exist, return HTTP status 404 (not found)

  • Unbind the resource from the directory context containing the static resources for this web application. If successful, return HTTP status 204 (no content). Otherwise, return HTTP status 405 (method not allowed).

Source: http://tomcat.apache.org/tomcat-5.5-doc/catalina/funcspecs/fs-default.html

Make sure you adhere to the tomcat specifications to avoid any problem.

Improve this answer

2 Comments

The question mentions JAX-RS, so why does this matter?
@mthmulders JAXRS or any other web service frameworks sits behind the tomcat request interceptor. If tomcat is rejecting the requests from the container level, your jaxrs code will not be executed.
0

To enable other http methods in tomcat, configure in web.xml

<servlet> <servlet-name>default</servlet-name> <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class> <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param> <init-param> <param-name>listings</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>readonly</param-name> <param-value>false</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet>

Parameters debug and listings are loaded by default in tomcat, while the default readonly is true, meaning that only GET and POST are available.

Other params available are:

 debug Debugging detail level for messages logged by this servlet. [0] fileEncoding Encoding to be used to read static resources [platform default] input Input buffer size (in bytes) when reading resources to be served. [2048] listings Should directory listings be produced if there is no welcome file in this directory? [false] WARNING: Listings for directories with many entries can be slow and may consume significant proportions of server resources. output Output buffer size (in bytes) when writing resources to be served. [2048] readonly Is this context "read only", so HTTP commands like PUT and DELETE are rejected? [true] readmeFile File to display together with the directory contents. [null] sendfileSize If the connector used supports sendfile, this represents the minimal file size in KB for which sendfile will be used. Use a negative value to always disable sendfile. [48] useAcceptRanges Should the Accept-Ranges header be included in responses where appropriate? [true]
Improve this answer

3 Comments

Maybe something wrong with your environment. It works not only for me but for others who vote me up. Why did you vote me down?
I've solved my problem, turns out I didn't really send a DELETE request.
To all reading this answer. You should NOT set readonly to false in the default servlet to enable PUT and DELETE requests against your REST API. This allows unauthenticated users to upload and delete files and leads to a severe Remote code execution (RCE) vulnerability in Tomcats released before October 2017: alphabot.com/security/blog/2017/java/…
0

Thank you, it worked with the SERVLET segment adding the readonly parameter! (as Moesio explained) In addition to, I removed DELETE from original code posted, so, I left it like next:

<init-param> <param-name>cors.allowed.methods</param-name> <param-value>GET, POST, PUT, OPTIONS, HEAD</param-value> </init-param>

I am working with IONIC 5 using this.http.delete request.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.