tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 32926] New: - Disable HTTP methods PUT and DELETE
Date Mon, 03 Jan 2005 19:32:42 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=32926>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=32926

           Summary: Disable HTTP methods PUT and DELETE
           Product: Tomcat 5
           Version: Unknown
          Platform: All
        OS/Version: All
            Status: NEW
          Keywords: PatchAvailable
          Severity: enhancement
          Priority: P2
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: anderson@mitre.org


I suggest that you include in the Tomcat distribution a valve to filter HTTP
requests by method.  

I have seen a few requests on how to disable PUT and DELETE methods.  Disabling
these methods is a common requirement for Tomcat in standalone mode at sites
that run the NESSUS security scanner.  

I have written such a valve (it's a slight modification of RemoteAddrValve), and
offer it to you with no restrictions.  The valve would be configured in
server.xml like this:

<Engine ...>  <!-- or <Host> -->
   <Valve className="org.apache.catalina.valves.HttpMethodValve"
               deny="PUT,DELETE"/>

Here is the code that I wrote for my server (I changed the package name to match
what you would use):
-------
package org.apache.catalina.valves;

import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import org.apache.catalina.Request;
import org.apache.catalina.Response;
import org.apache.catalina.ValveContext;


/**
 * Concrete implementation of <code>RequestFilterValve</code> that filters
 * HTTP requests based upon the string representation of the request method.
 *
 * in server.xml:
 * <Valve className="org.apache.catalina.valves.HttpMethodValve"
 *        allow="comma-separated-string" deny="comma-separated-string" />
 *
 * where comma-separated-string is a list of HTTP methods (uppercase) separated
by commas.
 *
 * Example: To disable PUT and DELETE methods on a standalone Tomcat 5 server,
 *
 * <Engine ...>  <!-- or <Host> -->
 *    <Valve className="org.apache.catalina.valves.HttpMethodValve"
 *           deny="PUT,DELETE" />
 * </Engine>
 *
 * @author Mark Anderson
 * @version $Revision: 1.0 $ $Date: 2004/12/27 13:56:21 $
 */

public final class HttpMethodValve
    extends RequestFilterValve {


    // ----------------------------------------------------- Instance Variables


    /**
     * The descriptive information related to this implementation.
     */
    private static final String info =
        "org.apache.catalina.valves.HttpMethodValve/1.0";


    // ------------------------------------------------------------- Properties


    /**
     * Return descriptive information about this Valve implementation.
     */
    public String getInfo() {

        return (info);

    }


    // --------------------------------------------------------- Public Methods


    /**
     * Extract the desired request property, and pass it (along with the
     * specified request and response objects) to the protected
     * <code>process()</code> method to perform the actual filtering.
     * This method must be implemented by a concrete subclass.
     *
     * @param request The servlet request to be processed
     * @param response The servlet response to be created
     * @param context The valve context used to invoke the next valve
     *  in the current processing pipeline
     *
     * @exception IOException if an input/output error occurs
     * @exception ServletException if a servlet error occurs
     */
    public void invoke(Request request, Response response,
                       ValveContext context)
        throws IOException, ServletException {

		ServletRequest sreq = request.getRequest();
		if (sreq instanceof HttpServletRequest) {
			HttpServletRequest hreq = (HttpServletRequest) sreq;
     		process(hreq.getMethod(), request, response, context);
		}

	}


}

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message