-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ian,
On 1/13/2010 12:37 PM, iainmac wrote: > I need to disable TRACE to pass a security scan, so I added > allowTrace="false" to all my connectors, but its still allowing TRACE! Can you give us an example? Recently, someone complained that the JSPServlet will allow /any/ HTTP method, even methods that are not defined like: FOO /path/to/my.jsp HTTP/1.1 Teh FOO method ist allowed!!111!!!ELEVEN!! For whatever reason, the JSPServlet specifically allows any method, including TRACE. I've never used allowTrace="false", though it /is/ the default. > I had to work around with urlrewrite and a jsp with 1 line which was > response.sendError(response.SC_NOT_IMPLEMENTED , "NOT IMPLEMENTED"); And does this pass your security audit? > However I would prefer the allowTrace="false" to work properly! Agreed, though the documentation doesn't state what happens when allowTrace="true" versus allowTrace="false": it just says "enabled or disables the TRACE method" without describing the expected behavior. > Any ideas as to why its not working? Not without looking at the code. You are welcome to check it out. Which connector(s) are you using? What version of Tomcat are you running? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktOK8AACgkQ9CaO5/Lv0PAYowCeIjb1OC3GuXl2FkrYUknvOPBP aV0AmwdVlFQSfuSONNlgu0ga04/Qq82Z =8Ku1 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
