Why does Knime use the http Delete Method

Hello,

by forwarding knime via Apache httpd and disabling the Delete Method to prevent malicious attacks on the web server, the user cannot log out when logged into web portal.

Which approach is suitable in configuration of apache httpd or knime-server to allow log off and not allow to delete any web-server content.

Greetings B.Kochs

1 Like

Hello @b_kochs,
The HTTP DELETE method is used by web servers to allow deletion of resources. For a normal operation of KNIME Server such delete actions are normal, as users with write access to certain repository resources should be able to delete workflows, data, schedules, jobs, etc. Internally, the server might also use DELETE requests, e.g. for deleting a session and therefore logging out a user, as you have already found out. Blanket blocking all DELETE requests is therefore not recommended. Instead, I suggest regular backups and minimum write permissions granted to users on repository items in KNIME Server. DELETE requests for repository items are always authenticated and so the user sending such a request needs to have explicit write permissions in order to successfully delete something.

If you still want to block delete requests to avoid any deletion of repository content, you should limit this to the /knime/rest/v4/repository path of the KNIME Server. That way only the deletion of repository content is disabled, but you will still be able to log out, because that is a delete request to the session endpoint.
Kind regards,
Alexander

3 Likes

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.