Running Nessus against our server (Debian Woody + standalone Tomcat 5.0.18) produces a security warning that the PUT and DELETE http methods are enabled in Tomcat. Although these warning were not exploitable, I really need to ensure that these 2 methods are completely disabled.
I've spent a good while looking into this, and this is where I'm at so far - I've placed the following in $CATALINA_HOME/conf/web.xml <security-constraint> <web-resource-collection> <web-resource-name>Disable Methods</web-resource-name> <url-pattern>/*</url-pattern> <http-method>PUT</http-method> <http-method>DELETE</http-method> </web-resource-collection> <auth-constraint> <role-name></role-name> </auth-constraint> </security-constraint> I was under the impression that by not including a <role-name> value, then all PUT and DELETE method requests are disabled since the security constraint cannot be linked to a role. However, the fact that it doesn't work yet means I'm doing something wrong somewhere! Any guidance is very much appreciated. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]