On 7/21/2011 12:27 PM, Scott Ferguson wrote:
> On 07/20/2011 10:39 AM, Aaron Freeman wrote:
>> I'd like to disabled the HTTP CONNECT method.   I don't know the best
>> way to do that, but I tried this and it's not working:
>> <resin:Forbidden regexp='.*'>
>> <resin:IfMethod value="CONNECT"/>
>> </resin:Forbidden>
>> The request is passed on and I receive a 200 OK response when I telnet
>> and test the CONNECT.
>> What is the most efficient way to get Resin to deny those requests?
> That config works for me. (You don't need the regexp if you're matching
> everything, but it doesn't matter for this issue.)
> There is the<resin:Forbidden>  tag?
> -- Scott

The config doesn't bomb, but in resin-pro-4.0.18 when I run this:

 > telnet localhost 80


CONNECT http://localhost/ HTTP/1.0

I then get the home page and a 200 OK, instead of a 403 FORBIDDEN.

You are able to get it to throw an appropriate HTTP 403?



resin-interest mailing list

Reply via email to