Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@www.apache.org Received: (qmail 20553 invoked from network); 3 Jan 2005 19:33:23 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 3 Jan 2005 19:33:23 -0000 Received: (qmail 95334 invoked by uid 500); 3 Jan 2005 19:32:53 -0000 Delivered-To: apmail-jakarta-tomcat-dev-archive@jakarta.apache.org Received: (qmail 95304 invoked by uid 500); 3 Jan 2005 19:32:52 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Developers List" Reply-To: "Tomcat Developers List" Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 95290 invoked by uid 99); 3 Jan 2005 19:32:52 -0000 X-ASF-Spam-Status: No, hits=0.2 required=10.0 tests=NO_REAL_NAME X-Spam-Check-By: apache.org Received: from ajax-1.apache.org (HELO ajax.apache.org) (192.87.106.226) by apache.org (qpsmtpd/0.28) with ESMTP; Mon, 03 Jan 2005 11:32:45 -0800 Received: from ajax.apache.org (ajax.apache.org [127.0.0.1]) by ajax.apache.org (8.12.11/8.12.11) with ESMTP id j03JWgPW006451 for ; Mon, 3 Jan 2005 20:32:42 +0100 Received: (from nobody@localhost) by ajax.apache.org (8.12.11/8.12.11/Submit) id j03JWgnO006449; Mon, 3 Jan 2005 20:32:42 +0100 Date: Mon, 3 Jan 2005 20:32:42 +0100 Message-Id: <200501031932.j03JWgnO006449@ajax.apache.org> From: bugzilla@apache.org To: tomcat-dev@jakarta.apache.org Subject: DO NOT REPLY [Bug 32926] New: - Disable HTTP methods PUT and DELETE X-Bugzilla-Reason: AssignedTo X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG� RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND� INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=32926 Summary: Disable HTTP methods PUT and DELETE Product: Tomcat 5 Version: Unknown Platform: All OS/Version: All Status: NEW Keywords: PatchAvailable Severity: enhancement Priority: P2 Component: Catalina AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: anderson@mitre.org I suggest that you include in the Tomcat distribution a valve to filter HTTP requests by method. I have seen a few requests on how to disable PUT and DELETE methods. Disabling these methods is a common requirement for Tomcat in standalone mode at sites that run the NESSUS security scanner. I have written such a valve (it's a slight modification of RemoteAddrValve), and offer it to you with no restrictions. The valve would be configured in server.xml like this: Here is the code that I wrote for my server (I changed the package name to match what you would use): ------- package org.apache.catalina.valves; import java.io.IOException; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.http.HttpServletRequest; import org.apache.catalina.Request; import org.apache.catalina.Response; import org.apache.catalina.ValveContext; /** * Concrete implementation of RequestFilterValve that filters * HTTP requests based upon the string representation of the request method. * * in server.xml: * * * where comma-separated-string is a list of HTTP methods (uppercase) separated by commas. * * Example: To disable PUT and DELETE methods on a standalone Tomcat 5 server, * * * * * * @author Mark Anderson * @version $Revision: 1.0 $ $Date: 2004/12/27 13:56:21 $ */ public final class HttpMethodValve extends RequestFilterValve { // ----------------------------------------------------- Instance Variables /** * The descriptive information related to this implementation. */ private static final String info = "org.apache.catalina.valves.HttpMethodValve/1.0"; // ------------------------------------------------------------- Properties /** * Return descriptive information about this Valve implementation. */ public String getInfo() { return (info); } // --------------------------------------------------------- Public Methods /** * Extract the desired request property, and pass it (along with the * specified request and response objects) to the protected * process() method to perform the actual filtering. * This method must be implemented by a concrete subclass. * * @param request The servlet request to be processed * @param response The servlet response to be created * @param context The valve context used to invoke the next valve * in the current processing pipeline * * @exception IOException if an input/output error occurs * @exception ServletException if a servlet error occurs */ public void invoke(Request request, Response response, ValveContext context) throws IOException, ServletException { ServletRequest sreq = request.getRequest(); if (sreq instanceof HttpServletRequest) { HttpServletRequest hreq = (HttpServletRequest) sreq; process(hreq.getMethod(), request, response, context); } } } -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org