On 7/21/2011 4:12 PM, Scott Ferguson wrote:
> On 07/21/2011 02:01 PM, Aaron Freeman wrote:
>> On 7/21/2011 12:27 PM, Scott Ferguson wrote:
>>> On 07/20/2011 10:39 AM, Aaron Freeman wrote:
>>>> I'd like to disabled the HTTP CONNECT method.   I don't know the best
>>>> way to do that, but I tried this and it's not working:
>>>> <resin:Forbidden regexp='.*'>
>>>> <resin:IfMethod value="CONNECT"/>
>>>> </resin:Forbidden>
>>>> The request is passed on and I receive a 200 OK response when I telnet
>>>> and test the CONNECT.
>>>> What is the most efficient way to get Resin to deny those requests?
>>> That config works for me. (You don't need the regexp if you're matching
>>> everything, but it doesn't matter for this issue.)
>>> There is the<resin:Forbidden>    tag?
>>> -- Scott
>> The config doesn't bomb, but in resin-pro-4.0.18 when I run this:
>>    >   telnet localhost 80
>> then
>> CONNECT http://localhost/ HTTP/1.0
>> I then get the home page and a 200 OK, instead of a 403 FORBIDDEN.
>> You are able to get it to throw an appropriate HTTP 403?
> Where is the<resin:Forbidden>  tag? (<cluster>,<host>,<web-app>,
> resin-web.xml?)
> -- Scott

Ah now I get your question.  :)  I was confused.

I tried in the web-app-default and web-app based on the regex, but I am 
guessing you are going to tell me that's too late and I need to put it 
at the <host> level -- so I just tried that and it's working great.  
Sorry for being slow and not thinking this one through more.



resin-interest mailing list

Reply via email to