Re: [Jetty-support] Disable HTTP TRACE in Jetty 5.x

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

lneelaka,

In jetty5 the trace method is implemented for the Default servlet
but will not echo back any content unless you call Server.setTrace(true) 
eg via your jetty.xml file. If you wish to disable it completely, you can 
always do a security constraint:

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>NoTrace</web-resource-name>
      <url-pattern>/*</url-pattern>
      <http-method>TRACE</http-method>
    </web-resource-collection>  
    <auth-constraint>
    </auth-constraint>
  </security-constraint> 

You can put that in webdefault.xml in order to have it apply to all 
webapps.

In jetty6, the trace method is implemented on the DefaultServlet thus:

    protected void doTrace(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException
    {
        resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
    }

So if you want it to do something, you'd have to subclass the DefaultServlet.

Of course, your own servlets need to take account of TRACE requests appropriately
(or use the security constraint to forbid them).

regards
Jan

lneelaka wrote:
> I have seen some questions on this topic in the forum, but I am not clear
> about the status on this topic. So, I'd like to ask the question(s) again:
> 
> a) Is there a way to disable HTTP TRACE in the Jetty 5.x versions through a
> configuration option?
> 
> b) HTTP TRACE in Jetty 5.x appeart to be on, but there does not seem to be a
> security issue, in the sense that it does not appear to be echoing the
> client request. Is my understanding correct?
> 
> c) Has the HTTP TRACE configuration issue been addressed in any of the
> recent versions of Jetty? If yes, which one?
> 
> Many thanks!
> Neel

-- 
Jan Bartel, Webtide LLC | ja...@we... | http://www.webtide.com