Summary: this page explains how to modify your Apache Tomcat application server (and other web applications) to disable insecure HTTP methods, such as webdav, to prevent modification of CAST dashboard pages.

Introduction

Some Apache Tomcat installations and/or web applications may be configured to use a servlet called org.apache.catalina.servlets.WebdavServlet (see https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/servlets/WebdavServlet.html) to provide webdav access to resources. Although this is a legitimate access method, if you prefer to ensure that no resources (i.e. pages) can be modified via webdav, you need to ensure that the servlet is disabled.

Disabling the webdav servlet

The webdav servlet can be configured at global Tomcat level or in individual web applications, therefore you need to check both to ensure that webdav access is fully disabled. To do so, search the web.xml files in these locations for the presence of the org.apache.catalina.servlets.WebdavServlet:

If any occurrences are found, you can disable the servlet by placing the entire servlet configuration in comments, for example:

<!--
 <servlet>
  <servlet-name>webdav</servlet-name>
  <servlet-class>org.apache.catalina.servlets.WebdavServlet</servlet-class>
    <init-param>
      <param-name>debug</param-name>
      <param-value>0</param-value>
    </init-param>
    <init-param>
      <param-name>listings</param-name>
      <param-value>false</param-value>
    </init-param>
  </servlet>
  <servlet-mapping>
    <servlet-name>webdav</servlet-name>
    <url-pattern>/*</url-pattern>
  </servlet-mapping>
-->

Following any changes you make to any web.xml configuration files, save the files and then restart your application server so that the changes are taken into account.

Disabling the webdav servlet will, of course, prevent access to resources via webdav, therefore you may need to warn users actively using this access method that it is being disabled.