# [Java]如何用黑名單限制HTTP Method ###### tags: `Java` `web.xml` 到web.xml設定加入以下片段 *概念是允許沒有人可以使用列表中的method* ``` <security-constraint> <web-resource-collection> <url-pattern>/*</url-pattern> <http-method>PUT</http-method> <http-method>DELETE</http-method> <http-method>HEAD</http-method> <http-method>OPTIONS</http-method> <http-method>TRACE</http-method> </web-resource-collection> <auth-constraint> </auth-constraint> </security-constraint> ``` web module3.0之後可以用正向寫法 ``` <security-constraint> <web-resource-collection> <web-resource-name>forbidanMethod</web-resource-name> <url-pattern>/*</url-pattern> <http-method-omission>GET</http-method-omission> <http-method-omission>POST</http-method-omission> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> ```