Our organization also has the same concern about our
JBoss App Server. When they perform a scan, they see several http methods are listed in the Allow header that they don't like.
Our application does not use most of these and we have restricted access using a security-constraint section in our web.xml. The problem is, the Allow header is not being generated based on the contents of the web.xml.
Tomcat uses reflection to determine which methods are present in the servlet and builds the Allow header from that (this is getServletMethods in the org.apache.catalina.core.StandardWrapper class).
The question is, which servlet does it query? Well, it depends on which resource is being queried. In my case, the scan just hits the root of the server. If you are checking the root of the server (i.e. TRACE / HTTP/1.0) you are most likely hitting the default servlet which is defined in conf/web.xml in your Tomcat install.
To change the output, one option is to use another servlet as the default servlet. Since we do not really use the default servlet, I just wrote another servlet which does not use these methods.
This servlet extends GenericServlet and just has a doGet and a doPost for the http methods. Now when we do a scan, all we see is this:
If you want to keep the default servlet, or you need to do this for more than just the root, then using a valve is probably the best thing. If you don't need the default servlet, then this is a pretty quick and easy fix.