How to make Apache Tomcat accept DELETE method

Asked 25/7, 2013 at 9:16 Answered 27/11, 2021 at 17:48

java tomcat7 jax-rs http-status-code-403 http-delete

I'm working on a project of RESTful web services, i'm using Apache Tomcat and JAX-RS.

I want to accept DELETE requests from client but whenever i send a DELETE request from Advanced REST client Chrome plugin it gives response code 403 Forbidden.

So how can i make Apche Tomcat accept DELETE request?

Surrejoinder answered 25/7, 2013 at 9:16 Comment(1)

Yea i am having the same issues with my setup. I've tried setting the default Servlet to readOnly = false but it's still not helping. For now I've resorted to just using POST + GET – Incommensurable 17/6, 2014 at 20:49

Tomcat was blocking DELETE methods for me because of my CORS filters.

I needed new filters registered in my web.xml file. Here's an example of a very permissive one:

<filter>
    <filter-name>CorsFilter</filter-name>
    <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
    <init-param>
        <param-name>cors.allowed.headers</param-name>
        <param-value>Accept,Accept-Encoding,Accept-Language,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization,Connection,Content-Type,Host,Origin,Referer,Token-Id,User-Agent, X-Requested-With</param-value>
    </init-param>
    <init-param>
        <param-name>cors.allowed.origins</param-name>
        <param-value>*</param-value>
    </init-param>
    <init-param>
        <param-name>cors.allowed.methods</param-name>
        <param-value>GET, POST, PUT, DELETE, OPTIONS, HEAD</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>CorsFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

Halation answered 21/8, 2014 at 21:35 Comment(0)

One more suggestion, double check the URL of your call and make sure it points to your intended servlet.

I got the same error when I mistyped a service URL in my code. I had api/roles/Service/roles when I needed api/rolesService/roles, fixing the typo resolved the error.You would expect a 404, but with DELETE on Tomcat, you get a 403.

Banal answered 11/1, 2016 at 9:13 Comment(1)

Exactly same issue. This saved my day! – Thereunder 17/7, 2020 at 4:34

Here are the reasons why you can get a 403 Forbidden from Tomcat for a DELETE request:

On each HTTP DELETE request processed by this servlet, the following processing shall be performed:

If modifications to the static resources are not allowed (set by a configuration parameter), return HTTP status 403 (forbidden).

If an attempt is made to delete a resource from /META-INF or /WEB-INF, return HTTP status 403 (forbidden).

If the requested resource does not exist, return HTTP status 404 (not found)

Unbind the resource from the directory context containing the static resources for this web application. If successful, return HTTP status 204 (no content). Otherwise, return HTTP status 405 (method not allowed).

Source: http://tomcat.apache.org/tomcat-5.5-doc/catalina/funcspecs/fs-default.html

Make sure you adhere to the tomcat specifications to avoid any problem.

Garth answered 25/7, 2013 at 9:19 Comment(2)

The question mentions JAX-RS, so why does this matter? – Subcortex 25/7, 2013 at 9:21

@Subcortex JAXRS or any other web service frameworks sits behind the tomcat request interceptor. If tomcat is rejecting the requests from the container level, your jaxrs code will not be executed. – Garth 25/7, 2013 at 9:26

To enable other http methods in tomcat, configure in web.xml

<servlet>
    <servlet-name>default</servlet-name>
    <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
    <init-param>
        <param-name>debug</param-name>
        <param-value>0</param-value>
    </init-param>
    <init-param>
        <param-name>listings</param-name>
        <param-value>false</param-value>
    </init-param>
    <init-param>
        <param-name>readonly</param-name>
        <param-value>false</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>

Parameters debug and listings are loaded by default in tomcat, while the default readonly is true, meaning that only GET and POST are available.

Other params available are:

     debug               Debugging detail level for messages logged     
                         by this servlet.  [0]                          

     fileEncoding        Encoding to be used to read static resources   
                         [platform default]                             

     input               Input buffer size (in bytes) when reading      
                         resources to be served.  [2048]                

     listings            Should directory listings be produced if there 
                         is no welcome file in this directory?  [false] 
                         WARNING: Listings for directories with many    
                         entries can be slow and may consume            
                         significant proportions of server resources.   

     output              Output buffer size (in bytes) when writing     
                         resources to be served.  [2048]                

     readonly            Is this context "read only", so HTTP           
                         commands like PUT and DELETE are               
                         rejected?  [true]                              

     readmeFile          File to display together with the directory    
                         contents. [null]                               

     sendfileSize        If the connector used supports sendfile, this  
                         represents the minimal file size in KB for     
                         which sendfile will be used. Use a negative    
                         value to always disable sendfile.  [48]        

     useAcceptRanges     Should the Accept-Ranges header be included    
                         in responses where appropriate? [true]

Harmonicon answered 27/9, 2014 at 1:33 Comment(3)

Maybe something wrong with your environment. It works not only for me but for others who vote me up. Why did you vote me down? – Harmonicon 9/6, 2015 at 13:40

I've solved my problem, turns out I didn't really send a DELETE request. – Corrasion 9/6, 2015 at 13:45

To all reading this answer. You should NOT set readonly to false in the default servlet to enable PUT and DELETE requests against your REST API. This allows unauthenticated users to upload and delete files and leads to a severe Remote code execution (RCE) vulnerability in Tomcats released before October 2017: alphabot.com/security/blog/2017/java/… – Hatti 4/10, 2017 at 18:1

Thank you, it worked with the SERVLET segment adding the readonly parameter! (as Moesio explained) In addition to, I removed DELETE from original code posted, so, I left it like next:

<init-param>
    <param-name>cors.allowed.methods</param-name>
    <param-value>GET, POST, PUT, OPTIONS, HEAD</param-value>
</init-param>

I am working with IONIC 5 using this.http.delete request.

Cooperman answered 27/11, 2021 at 17:48 Comment(0)

Recommended topics

Hot tags