From users-return-194186-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org Thu Apr 02 14:25:07 2009 Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 64117 invoked from network); 2 Apr 2009 14:25:07 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 2 Apr 2009 14:25:07 -0000 Received: (qmail 69938 invoked by uid 500); 2 Apr 2009 14:25:03 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 69884 invoked by uid 500); 2 Apr 2009 14:25:02 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 69873 invoked by uid 99); 2 Apr 2009 14:25:02 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Apr 2009 14:25:02 +0000 X-ASF-Spam-Status: No, hits=2.6 required=10.0 tests=DNS_FROM_OPENWHOIS,SPF_HELO_PASS,SPF_PASS,WHOIS_MYPRIVREG X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of lists@nabble.com designates 216.139.236.158 as permitted sender) Received: from [216.139.236.158] (HELO kuber.nabble.com) (216.139.236.158) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Apr 2009 14:24:54 +0000 Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1LpNqL-00023c-9o for users@tomcat.apache.org; Thu, 02 Apr 2009 07:24:33 -0700 Message-ID: <22849145.post@talk.nabble.com> Date: Thu, 2 Apr 2009 07:24:33 -0700 (PDT) From: joeweder To: users@tomcat.apache.org Subject: Re: How2 Disable PUT response in OPTIONS method In-Reply-To: <49D0EE43.3020602@apache.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: joeweder@gmail.com References: <22786288.post@talk.nabble.com> <49D0EE43.3020602@apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Thanks markt-2. The idea of using a ServletFilter is a good one but will not work because the application (we've inherited) does not have a single entry point (dispatch/front-controller) yuck. So I'd have to patch it several places. What I wound up doing was making a little custom valve (HttpMethodValve) and added it to the Engine in our server.xml. The valve allows only the methods specified (see allow=""), gives a 403 otherwise, and reports only the allow(ed) methods in response to OPTIONS. Dropped this little jar in tomcat/lib and rock-n-roll. markt-2 wrote: > > joeweder wrote: >> I have PUTs disabled but they are still being published as supported in >> response to the OPTIONS method. > > Which is correct as per the HTTP spec. > >> Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS >> Server: Apache-Coyote/1.1 >> >> Actually doing a PUT returns a 403. But "in-house" security scanner just >> looks at response from the OPTIONS method. > > Then your security scanner needs to be fixed. > >> Is there any way to get Tomcat 6 from responding to the OPTIONS that it >> supports the PUT? > > You would need to provide your own DefaultServlet implementation. You > should be > able to take Tomcat's and override the appropriate method. > > Alternatively, you should be able to achieve the same effect with a Filter > and a > wrapped response. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > > -- View this message in context: http://www.nabble.com/How2-Disable-PUT-response-in-OPTIONS-method-tp22786288p22849145.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org