I think I found a way that appears to work... I added the <http-method> line and it give me the 302 message for the HTTP TRACE and my web app appears to be working!!!! Is this all I need to do?
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>TRACE</http-method>
</web-resource-collection>
<!-- auth-constraint goes here if you requre authentication -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>Thanks!!!!
Pete
Tim....
Thanks for the suggestion and it shows the following when I try to telnet and send HTTP TRACE
HTTP/1.1 302 Moved Temporarily Pragma: No-cache Cache-Control: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Location: https://localhost:8443/ Content-Type: text/plain Content-Length: 0 Date: Mon, 23 Jun 2003 03:39:19 GMT Server: Apache Coyote/1.0 Connection: close
That might satisfy the sys admins, but it also doesn't allow my webapp to run.... Here's what the link you gave said to add to web.xml:
<security-constraint> <web-resource-collection> <web-resource-name>Protected Context</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <!-- auth-constraint goes here if you requre authentication --> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
I'm assuming that the url-pattern is catching everything.... anyway to only stop HTTP TRACE?
Thanks!
Pete
Tim Funk wrote:
In web.xml - use a security constraint to disallow trace.
It is similar to this: http://jakarta.apache.org/tomcat/faq/security.html#https
-Tim
Peter M. Gerken wrote:
Hi..
I'm using tomcat 4.1.24 and the sys admins found a potential security hole by sending a HTTP TRACE. They told me I need to fix it by following the instructions in the following URL:
http://www.kb.cert.org/vuls/id/867593
However, I'm not using the Apache HTTP Server, just Tomcat with it's embedded server. Is there anyway to disable a HTTP TRACE sent to tomcat?
Here's the test I need to fail...
telnet xxx.xxx.xxx.xxx 8080
type in "TRACE / HTTP/1.0" and hit return twice... it shows...
HTTP/1.1 200 OK Content-Type: message/http Content-Length: 18 Date: Sun, 22 Jun 2003 22:52:24 GMT Server: Apache Coyote/1.0 Connection: close
TRACE / HTTP/1.0
I need it that to fail to get the sys admin's off my back.
Any help would much appreciated!
Thanks!!
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
