A 302 response is a re-direct. If you don't have an SSL Connector
configured, then what you have should work (ugly, but works ;-).
I believe that that idea was to have a:
<auth-constraint>
<description>Forbidden Roles</description>
<role-name>nobody-has-this-role</role-name>
</auth-constraint>
It is really ugly for Form-auth (but it mostly makes life difficult for
hackers, so what do you care ;-).
"Peter M. Gerken" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Tim...
>
> I think I found a way that appears to work... I added the <http-method>
> line and it give me the 302 message for the HTTP TRACE and my web app
> appears to be working!!!! Is this all I need to do?
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Protected Context</web-resource-name>
> <url-pattern>/*</url-pattern>
> <http-method>TRACE</http-method>
> </web-resource-collection>
> <!-- auth-constraint goes here if you requre authentication -->
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> Thanks!!!!
>
> Pete
>
> > Tim....
> >
> > Thanks for the suggestion and it shows the following when I try to
> > telnet and send HTTP TRACE
> >
> > HTTP/1.1 302 Moved Temporarily
> > Pragma: No-cache
> > Cache-Control: no-cache
> > Expires: Thu, 01 Jan 1970 00:00:00 GMT
> > Location: https://localhost:8443/
> > Content-Type: text/plain
> > Content-Length: 0
> > Date: Mon, 23 Jun 2003 03:39:19 GMT
> > Server: Apache Coyote/1.0
> > Connection: close
> >
> > That might satisfy the sys admins, but it also doesn't allow my webapp
> > to run.... Here's what the link you gave said to add to web.xml:
> >
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>Protected Context</web-resource-name>
> > <url-pattern>/*</url-pattern>
> > </web-resource-collection>
> > <!-- auth-constraint goes here if you requre authentication -->
> > <user-data-constraint>
> > <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > </user-data-constraint>
> > </security-constraint>
> >
> > I'm assuming that the url-pattern is catching everything.... anyway to
> > only stop HTTP TRACE?
> >
> > Thanks!
> >
> > Pete
> >
> > Tim Funk wrote:
> >
> >> In web.xml - use a security constraint to disallow trace.
> >>
> >> It is similar to this:
> >> http://jakarta.apache.org/tomcat/faq/security.html#https
> >>
> >> -Tim
> >>
> >> Peter M. Gerken wrote:
> >>
> >>> Hi..
> >>>
> >>> I'm using tomcat 4.1.24 and the sys admins found a potential
> >>> security hole by sending a HTTP TRACE. They told me I need to fix it
> >>> by following the instructions in the following URL:
> >>>
> >>> http://www.kb.cert.org/vuls/id/867593
> >>>
> >>> However, I'm not using the Apache HTTP Server, just Tomcat with it's
> >>> embedded server. Is there anyway to disable a HTTP TRACE sent to
> >>> tomcat?
> >>>
> >>> Here's the test I need to fail...
> >>>
> >>> telnet xxx.xxx.xxx.xxx 8080
> >>>
> >>> type in "TRACE / HTTP/1.0" and hit return twice... it shows...
> >>>
> >>>
> >>> HTTP/1.1 200 OK
> >>> Content-Type: message/http
> >>> Content-Length: 18
> >>> Date: Sun, 22 Jun 2003 22:52:24 GMT
> >>> Server: Apache Coyote/1.0
> >>> Connection: close
> >>>
> >>> TRACE / HTTP/1.0
> >>>
> >>>
> >>> I need it that to fail to get the sys admin's off my back.
> >>>
> >>> Any help would much appreciated!
> >>>
> >>> Thanks!!
> >>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
