On 15/05/2010 12:25, André Warnier wrote:
> Pid wrote:
>> On 14/05/2010 19:43, André Warnier wrote:
>>> Mark Thomas wrote:
>>> ...
>>>
TRACE & PUT could be tested safely but it is hard to test DELETE
without
causing some damage if it is permitted.
>>> Well, you could DELETE http
Pid wrote:
On 14/05/2010 19:43, André Warnier wrote:
Mark Thomas wrote:
...
TRACE & PUT could be tested safely but it is hard to test DELETE without
causing some damage if it is permitted.
Well, you could DELETE http://localhost/some-highly-unlikely-url
and check if you get a 404, couldn't y
On 14/05/2010 19:43, André Warnier wrote:
> Mark Thomas wrote:
> ...
>
>>
>> TRACE & PUT could be tested safely but it is hard to test DELETE without
>> causing some damage if it is permitted.
>>
> Well, you could DELETE http://localhost/some-highly-unlikely-url
> and check if you get a 404, could
Mark Thomas wrote:
...
TRACE & PUT could be tested safely but it is hard to test DELETE without
causing some damage if it is permitted.
Well, you could DELETE http://localhost/some-highly-unlikely-url
and check if you get a 404, couldn't you ?
Although I do remember writing once a URL-check
On 14/05/2010 16:28, André Warnier wrote:
> Leo Donahue - PLANDEVX wrote:
> ...
>
>>
>> Yes. I wasn't implementing doPUT or doDELETE and was scratching my
>> head trying to figure out how the security scan was able to indicate
>> those methods were available.
>>
> Then it very much looks right no
On Fri, May 14, 2010 at 8:28 AM, André Warnier wrote:
>> trying to figure out how the security scan was able to indicate those
>> methods were available.
>>
> Then it very much looks right now as if it is the scanner which is faulty.
A client of mine (at a VeryLargeCo) had to have a "security sc
> From: André Warnier [mailto:a...@ice-sa.com]
> Subject: Re: Restrict http methods
>
> So, it does respond 403.
> Mark was right. How does he know these things ?
Because he writes a bunch of the Tomcat code... and reads nearly all of the
rest of it.
- Chuck
THIS COMMUNICAT
Leo Donahue - PLANDEVX wrote:
...
Yes. I wasn't implementing doPUT or doDELETE and was scratching my head trying
to figure out how the security scan was able to indicate those methods were
available.
Then it very much looks right now as if it is the scanner which is faulty.
Being mainly a
-Original Message-
From: André Warnier [mailto:a...@ice-sa.com]
Sent: Friday, May 14, 2010 5:07 AM
To: Tomcat Users List
Subject: Re: Restrict http methods
Mark Thomas wrote:
> On 14/05/2010 09:06, André Warnier wrote:
>> Mark Thomas wrote:
>>> On 14/05/2010 00:28, A
2010/5/14 Leo Donahue - PLANDEVX :
> What do most people use to restrict PUT and DELETE http methods?
>
Besides what was already said here, you can always write a Filter and
configure it in ${catalina.base}/conf/web.xml -- it will be present
in all web application on your Tomcat instance. (In ass
Mark Thomas wrote:
On 14/05/2010 09:06, André Warnier wrote:
Mark Thomas wrote:
On 14/05/2010 00:28, André Warnier wrote:
Leo,
normally in the default config of a webserver, these methods are by
default disabled, for the simple reason that there is no "handler"
defined for them. That is the
ave warm
>>>> fuzzies about this.
>>>>
>>>> I think they used IBM Rational App Scan, not sure though.
>>>>
>>>> Leo
>>>> -Original Message-
>>>> From: Caldarale, Charles R [mailto:chuck.caldar...@unisys
om: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent:
Thursday, May 13, 2010 3:13 PM
To: Tomcat Users List
Subject: RE: Restrict http methods
From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov]
Subject: Restrict http methods
What do most people use to restrict PUT a
m
>> fuzzies about this.
>>
>> I think they used IBM Rational App Scan, not sure though.
>>
>> Leo
>> -Original Message-
>> From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent:
>> Thursday, May 13, 2010 3:13 PM
>> To: T
age-
From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com]
Sent: Thursday, May 13, 2010 3:13 PM
To: Tomcat Users List
Subject: RE: Restrict http methods
From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov]
Subject: Restrict http methods
What do most people use to restrict P
hough.
Leo
-Original Message-
From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com]
Sent: Thursday, May 13, 2010 3:13 PM
To: Tomcat Users List
Subject: RE: Restrict http methods
> From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov]
> Subject: Restrict h
> From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov]
> Subject: Restrict http methods
>
> What do most people use to restrict PUT and DELETE http methods?
>
> 2. Set the attribute "readonly" to true in the default servlet in
> web.xml
The readonly
What do most people use to restrict PUT and DELETE http methods?
1. Using a security-constraint with no roles specified in a auth-constraint,
with a url-pattern of /* (or appropriate URI) and list the http methods to
restrict
OR
2. Set the attribute "readonly" to true in the default servlet in
18 matches
Mail list logo
