On 27/09/2021 14:02, Rémy Maucherat wrote:
On Mon, Sep 27, 2021 at 1:03 PM Mark Thomas <[email protected]> wrote:

Hi all,

I've been having some conversations at $work about Tomcat's handling of
TRACE requests and the allowTrace option on the Connector. Something
that was said in that discussion got me thinking. Why do we have special
handling for TRACE requests on the Connector? Why not use a security
constraint in the global web.xml?

I've done a quick test, setting allowTrace to true on the Connector and
adding the following to the global web.xml:

      <security-constraint>
        <web-resource-collection>
          <url-pattern>/*</url-pattern>
          <http-method>TRACE</http-method>
        </web-resource-collection>
        <auth-constraint />
      </security-constraint>

This blocks TRACE requests as expected.

What do the folks here think about deprecating allowTrace on the
Connector for 10.0.x and removing it (and the special handling in
HttpServlet) in 10.1.x onwards - replacing it with the security
constraint above.

It might not matter much these days, but this still looks like it
would be considerably less efficient (for a flag that will actually
never be set to false, right ?).

I can do some performance testing to see what the impact is. We can then judge the impact vs the benefit.

I suspect most users will leave the option as is but there might be a few that are happy enabling TRACE.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to