tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Restrict http methods
Date Thu, 13 May 2010 23:28:35 GMT
Leo,

normally in the default config of a webserver, these methods are by 
default disabled, for the simple reason that there is no "handler" 
defined for them.  That is the case for Apache httpd, and I suppose for 
Tomcat.

In other words, it is for these methods to actually do something that 
you would have to configure a handler (or a servlet) that contains code 
which handles these methods and does something.

Actually, I just looked at what the Servlet Spec 3.0 has to say about 
this (2.1), and it does not say much.  In particular, it does not say 
exactly what should happen when the servlet does not contain doPut 
and/or doDelete methods.
I suppose that Tomcat could return a "405 Method Not Allowed" or a "501 
Not Implemented" error code, but I am not sure what it does really.


Leo Donahue - PLANDEVX wrote:
> Thanks.
> 
> Security audit day.  Spent 3 hours making changes - waiting for results, when the tool
ended up reporting a false-positive for DELETE.
> Now I know I could have done nothing.  Great.  I still don't have warm fuzzies about
this.
> 
> I think they used IBM Rational App Scan, not sure though.
> 
> Leo 
> 
> -----Original Message-----
> From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com] 
> Sent: Thursday, May 13, 2010 3:13 PM
> To: Tomcat Users List
> Subject: RE: Restrict http methods 
> 
>> From: Leo Donahue - PLANDEVX [mailto:LeoDonahue@mail.maricopa.gov]
>> Subject: Restrict http methods
>>
>> What do most people use to restrict PUT and DELETE http methods?
>>
>> 2. Set the attribute "readonly" to true in the default servlet in 
>> web.xml
> 
> The readonly attribute defaults to true, so most people do ... nothing.
> 
>  - Chuck
> 
> 
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and
is thus for use only by the intended recipient. If you received this in error, please contact
the sender and delete the e-mail and its attachments from all computers.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message