Index: src/main/java/org/apache/hadoop/hbase/rest/Main.java =================================================================== --- src/main/java/org/apache/hadoop/hbase/rest/Main.java (revision 1564930) +++ src/main/java/org/apache/hadoop/hbase/rest/Main.java (working copy) @@ -31,6 +31,7 @@ import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hbase.HBaseConfiguration; import org.apache.hadoop.hbase.client.UserProvider; +import org.apache.hadoop.hbase.util.HttpServerUtil; import org.apache.hadoop.hbase.rest.filter.GzipFilter; import org.apache.hadoop.hbase.security.User; import org.apache.hadoop.hbase.util.InfoServer; @@ -198,6 +199,7 @@ context.addServlet(shPojoMap, "/status/cluster"); context.addServlet(sh, "/*"); context.addFilter(GzipFilter.class, "/*", 0); + HttpServerUtil.constrainHttpMethods(context); // Put up info server. int port = conf.getInt("hbase.rest.info.port", 8085); @@ -213,4 +215,4 @@ server.start(); server.join(); } -} \ No newline at end of file +} Index: src/main/java/org/apache/hadoop/hbase/util/HttpServerUtil.java =================================================================== --- src/main/java/org/apache/hadoop/hbase/util/HttpServerUtil.java (revision 0) +++ src/main/java/org/apache/hadoop/hbase/util/HttpServerUtil.java (working copy) @@ -0,0 +1,52 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hbase.util; + +import org.mortbay.jetty.security.Constraint; +import org.mortbay.jetty.security.ConstraintMapping; +import org.mortbay.jetty.security.SecurityHandler; +import org.mortbay.jetty.servlet.Context; + +/** + * HttpServer utility. + */ +public class HttpServerUtil { + /** + * Add constraints to a Jetty Context to disallow undesirable Http methods. + * @param context The context to modify + */ + public static void constrainHttpMethods(Context context) { + Constraint c = new Constraint(); + c.setAuthenticate(true); + + ConstraintMapping cmt = new ConstraintMapping(); + cmt.setConstraint(c); + cmt.setMethod("TRACE"); + cmt.setPathSpec("/*"); + + ConstraintMapping cmo = new ConstraintMapping(); + cmo.setConstraint(c); + cmo.setMethod("OPTIONS"); + cmo.setPathSpec("/*"); + + SecurityHandler sh = new SecurityHandler(); + sh.setConstraintMappings(new ConstraintMapping[]{ cmt, cmo }); + + context.addHandler(sh); + } +} \ No newline at end of file Index: src/main/java/org/apache/hadoop/hbase/util/InfoServer.java =================================================================== --- src/main/java/org/apache/hadoop/hbase/util/InfoServer.java (revision 1564930) +++ src/main/java/org/apache/hadoop/hbase/util/InfoServer.java (working copy) @@ -90,6 +90,7 @@ logsContextPath); logContext.setResourceBase(logDir); logContext.addServlet(DefaultServlet.class, "/"); + HttpServerUtil.constrainHttpMethods(logContext); defaultContexts.put(logContext, true); } } Index: src/test/java/org/apache/hadoop/hbase/rest/HBaseRESTTestingUtility.java =================================================================== --- src/test/java/org/apache/hadoop/hbase/rest/HBaseRESTTestingUtility.java (revision 1564930) +++ src/test/java/org/apache/hadoop/hbase/rest/HBaseRESTTestingUtility.java (working copy) @@ -27,6 +27,7 @@ import org.mortbay.jetty.Server; import org.mortbay.jetty.servlet.Context; import org.mortbay.jetty.servlet.ServletHolder; +import org.apache.hadoop.hbase.util.HttpServerUtil; import com.sun.jersey.spi.container.servlet.ServletContainer; @@ -68,6 +69,7 @@ Context context = new Context(server, "/", Context.SESSIONS); context.addServlet(sh, "/*"); context.addFilter(GzipFilter.class, "/*", 0); + HttpServerUtil.constrainHttpMethods(context); // start the server server.start(); // get the port