tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Restrict http methods
Date Fri, 14 May 2010 15:28:17 GMT
Leo Donahue - PLANDEVX wrote:
...

> 
> Yes.  I wasn't implementing doPUT or doDELETE and was scratching my head trying to figure
out how the security scan was able to indicate those methods were available.
> 
Then it very much looks right now as if it is the scanner which is faulty.
Being mainly a perl guy, I know this tool which would tell you how the 
Tomcat reacts : lwp-request
It is a perl command-line tool which allows to create and send a HTTP 
request to a server, and see the returned answer in detail.
lwp-request --help will tell you all about it.
e.g.

# lwp-request -m PUT -Sed http://localhost:8180/some-url
Please enter content (text/plain) to be PUTed:
abcdef
^D
PUT http://localhost:8180/some-url --> 403 Forbidden
Connection: close
Date: Fri, 14 May 2010 15:24:55 GMT
Server: Apache-Coyote/1.1
Content-Length: 958
Content-Type: text/html;charset=utf-8
Client-Date: Fri, 14 May 2010 15:24:55 GMT
Client-Peer: 127.0.0.1:8180
Client-Response-Num: 1
Title: Apache Tomcat/5.0 - Error report

So, it does respond 403.
Mark was right. How does he know these things ?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message