cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joe Luo (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CXF-7114) Disable HTTP TRACE method on CXF http-jetty transport
Date Fri, 28 Oct 2016 17:13:58 GMT
Joe Luo created CXF-7114:
----------------------------

             Summary: Disable HTTP TRACE method on CXF http-jetty transport
                 Key: CXF-7114
                 URL: https://issues.apache.org/jira/browse/CXF-7114
             Project: CXF
          Issue Type: Bug
          Components: Transports
    Affects Versions: 3.0.4
            Reporter: Joe Luo
            Priority: Minor


We had a security scan and found that standalone CXF endpoint using http-jetty transport still
had HTTP TRACE method enabled. It is considered as a security risk. 

It's not a problem if the CXF http-jetty transport is used with Pax Web as Pax Web had already
had it's embedded Jetty engine's HTTP TRACE method disabled by default. 

So we should disable HTTP TRACE method in JettyHTTPHandler.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message