tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Restrict http methods
Date Fri, 14 May 2010 08:06:07 GMT
Mark Thomas wrote:
> On 14/05/2010 00:28, André Warnier wrote:
>> Leo,
>>
>> normally in the default config of a webserver, these methods are by
>> default disabled, for the simple reason that there is no "handler"
>> defined for them.  That is the case for Apache httpd, and I suppose for
>> Tomcat.
> 
> Nope. The default servlet supports both PUT and DELETE but they are
> blocked by default.
> 
>> I suppose that Tomcat could return a "405 Method Not Allowed" or a "501
>> Not Implemented" error code, but I am not sure what it does really.
> 
> It returns a 403.
> 
> Mark
> 
Thanks.
Just for further information really :
If there is a webapp context say at /abc, with a servlet url-mapping of 
"/*", and this servlet does not have a doPut() method, does a PUT 
request to /abc get remapped to the default servlet ?


>>
>> Leo Donahue - PLANDEVX wrote:
>>> Thanks.
>>>
>>> Security audit day.  Spent 3 hours making changes - waiting for
>>> results, when the tool ended up reporting a false-positive for DELETE.
>>> Now I know I could have done nothing.  Great.  I still don't have warm
>>> fuzzies about this.
>>>
>>> I think they used IBM Rational App Scan, not sure though.
>>>
>>> Leo
>>> -----Original Message-----
>>> From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com] Sent:
>>> Thursday, May 13, 2010 3:13 PM
>>> To: Tomcat Users List
>>> Subject: RE: Restrict http methods
>>>> From: Leo Donahue - PLANDEVX [mailto:LeoDonahue@mail.maricopa.gov]
>>>> Subject: Restrict http methods
>>>>
>>>> What do most people use to restrict PUT and DELETE http methods?
>>>>
>>>> 2. Set the attribute "readonly" to true in the default servlet in
>>>> web.xml
>>> The readonly attribute defaults to true, so most people do ... nothing.
>>>
>>>  - Chuck
>>>
>>>
>>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
>>> PROPRIETARY MATERIAL and is thus for use only by the intended
>>> recipient. If you received this in error, please contact the sender
>>> and delete the e-mail and its attachments from all computers.
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message