On 7/21/2011 4:12 PM, Scott Ferguson wrote: > On 07/21/2011 02:01 PM, Aaron Freeman wrote: >> On 7/21/2011 12:27 PM, Scott Ferguson wrote: >>> On 07/20/2011 10:39 AM, Aaron Freeman wrote: >>>> I'd like to disabled the HTTP CONNECT method. I don't know the best >>>> way to do that, but I tried this and it's not working: >>>> >>>> <resin:Forbidden regexp='.*'> >>>> <resin:IfMethod value="CONNECT"/> >>>> </resin:Forbidden> >>>> >>>> The request is passed on and I receive a 200 OK response when I telnet >>>> and test the CONNECT. >>>> >>>> What is the most efficient way to get Resin to deny those requests? >>> That config works for me. (You don't need the regexp if you're matching >>> everything, but it doesn't matter for this issue.) >>> >>> There is the<resin:Forbidden> tag? >>> >>> -- Scott >>> >> The config doesn't bomb, but in resin-pro-4.0.18 when I run this: >> >> > telnet localhost 80 >> >> then >> >> CONNECT http://localhost/ HTTP/1.0 >> >> I then get the home page and a 200 OK, instead of a 403 FORBIDDEN. >> >> You are able to get it to throw an appropriate HTTP 403? > Where is the<resin:Forbidden> tag? (<cluster>,<host>,<web-app>, > resin-web.xml?) > > -- Scott >
Ah now I get your question. :) I was confused. I tried in the web-app-default and web-app based on the regex, but I am guessing you are going to tell me that's too late and I need to put it at the <host> level -- so I just tried that and it's working great. Sorry for being slow and not thinking this one through more. Thanks, Aaron _______________________________________________ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest