On 27/09/2021 14:02, Rémy Maucherat wrote:
On Mon, Sep 27, 2021 at 1:03 PM Mark Thomas <[email protected]> wrote:Hi all, I've been having some conversations at $work about Tomcat's handling of TRACE requests and the allowTrace option on the Connector. Something that was said in that discussion got me thinking. Why do we have special handling for TRACE requests on the Connector? Why not use a security constraint in the global web.xml? I've done a quick test, setting allowTrace to true on the Connector and adding the following to the global web.xml: <security-constraint> <web-resource-collection> <url-pattern>/*</url-pattern> <http-method>TRACE</http-method> </web-resource-collection> <auth-constraint /> </security-constraint> This blocks TRACE requests as expected. What do the folks here think about deprecating allowTrace on the Connector for 10.0.x and removing it (and the special handling in HttpServlet) in 10.1.x onwards - replacing it with the security constraint above.It might not matter much these days, but this still looks like it would be considerably less efficient (for a flag that will actually never be set to false, right ?).
I can do some performance testing to see what the impact is. We can then judge the impact vs the benefit.
I suspect most users will leave the option as is but there might be a few that are happy enabling TRACE.
Mark --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
