tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: How2 Disable PUT response in OPTIONS method
Date Thu, 02 Apr 2009 14:31:08 GMT
joeweder wrote:
> Thanks markt-2. The idea of using a ServletFilter is a good one but will not
> work because the application (we've inherited) does not have a single entry
> point (dispatch/front-controller) yuck. So I'd have to patch it several
> places.

You can map filters to /*

Mark

> 
> What I wound up doing was making a little custom valve (HttpMethodValve) and
> added it to the Engine in our server.xml. The valve allows only the methods
> specified (see allow=""), gives a 403 otherwise, and reports only the
> allow(ed) methods in response to OPTIONS. Dropped this little jar in
> tomcat/lib and rock-n-roll.
> 
>         <Engine name="Catalina" defaultHost="localhost">
> 	    <Valve className="org.apache.catalina.valves.AccessLogValve" ...... />
> 	    <Valve className="org.apache.catalina.valves.HttpMethodValve"
> allow="GET,POST,OPTIONS"/>
>             <Host name="localhost"
>                     ....
>                     />
>         </Engine>
> 
> 
> markt-2 wrote:
>> joeweder wrote:
>>> I have PUTs disabled but they are still being published as supported in
>>> response to the OPTIONS method.
>> Which is correct as per the HTTP spec.
>>
>>> Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS
>>> Server: Apache-Coyote/1.1
>>>
>>> Actually doing a PUT returns a 403. But "in-house" security scanner just
>>> looks at response from the OPTIONS method. 
>> Then your security scanner needs to be fixed.
>>
>>> Is there any way to get Tomcat 6 from responding to the OPTIONS that it
>>> supports the PUT?
>> You would need to provide your own DefaultServlet implementation. You
>> should be
>> able to take Tomcat's and override the appropriate method.
>>
>> Alternatively, you should be able to achieve the same effect with a Filter
>> and a
>> wrapped response.
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message