cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joe Luo (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CXF-7114) Disable HTTP TRACE method on CXF http-jetty transport
Date Fri, 28 Oct 2016 17:15:58 GMT

     [ https://issues.apache.org/jira/browse/CXF-7114?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Joe Luo updated CXF-7114:
-------------------------
    Description: 
We had a security scan and found that standalone CXF endpoint using http-jetty transport still
had HTTP TRACE method enabled. It is considered as a security risk. 

It's not a problem if the CXF http-jetty transport is used with Pax Web as Pax Web had already
had it's embedded Jetty engine's HTTP TRACE method disabled by default. 

So we should disable HTTP TRACE method in JettyHTTPHandler. Please find attached patch.txt
for more detail.

  was:
We had a security scan and found that standalone CXF endpoint using http-jetty transport still
had HTTP TRACE method enabled. It is considered as a security risk. 

It's not a problem if the CXF http-jetty transport is used with Pax Web as Pax Web had already
had it's embedded Jetty engine's HTTP TRACE method disabled by default. 

So we should disable HTTP TRACE method in JettyHTTPHandler.


> Disable HTTP TRACE method on CXF http-jetty transport
> -----------------------------------------------------
>
>                 Key: CXF-7114
>                 URL: https://issues.apache.org/jira/browse/CXF-7114
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>    Affects Versions: 3.0.4
>            Reporter: Joe Luo
>            Priority: Minor
>         Attachments: patch.txt
>
>
> We had a security scan and found that standalone CXF endpoint using http-jetty transport
still had HTTP TRACE method enabled. It is considered as a security risk. 
> It's not a problem if the CXF http-jetty transport is used with Pax Web as Pax Web had
already had it's embedded Jetty engine's HTTP TRACE method disabled by default. 
> So we should disable HTTP TRACE method in JettyHTTPHandler. Please find attached patch.txt
for more detail.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message