HTTP specification includes request methods other than the standard GET and POST requests. A standards-compliant web server may respond to these alternative methods in ways not anticipated by developers.
How to solve it
The right approach to secure a JAVA EE is to remove all the <http-method> elements from this policy, which simply applies this rule to all the HTTP methods, but if you still want to restrict access to a specific method, then you need to set up two policies as detailed below.
The first policy denies a GET request to access and the second policy denies all requests.