How to disable GET requests to JSP page?

Question

I am fixing some old defects and as part of one defect, I need to make sure that some requests are being only POST to the JSP page instead of a GET request. The application have a form which submits data to another JSP page (I know its wrong and against MVC but too late to fix it), since it is a JSP page, so we can POST the request or else we can GET the request. In case of a malicious user, can read the form and send the request as a GET from the browser like http://host:80/somejsp.jsp?param=value&param=value etc. In that case, it becomes a violation. I need to make sure that such GET requests are not processed. One way to do is to perform the below steps in the jsp page -

if (request.getMethod().equals("GET")) {
   // reroute the user as it is not a valid req
}

Is there any other way to do it?

Answer 1

Two solutions:

1. Add a <security-constraint> with an empty <auth-constraint> on an <url-pattern> of *.jsp and <http-method> of GET which will block GET requests on JSP files to everyone (as suggested by McDowell):

   <security-constraint>
       <display-name>Restrict GET requests on JSP files</display-name>
       <web-resource-collection>
           <web-resource-name>JSP files</web-resource-name>
           <url-pattern>*.jsp</url-pattern>
           <http-method>GET</http-method>
       </web-resource-collection>
       <auth-constraint />
   </security-constraint> 
   

2. Create a Filter which listens on an <url-pattern> of *.jsp and does basically the following in the doFilter() method.

   if (((HttpServletRequest) request).getMethod().equals("GET")) {
       ((HttpServletResponse) response).sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
   } else {
       chain.doFilter(request, response);
   }
   

No need to copypaste the same over all JSP pages which would only be prone to IllegalStateException: response already committed errors.