Leo,
normally in the default config of a webserver, these methods are by
default disabled, for the simple reason that there is no "handler"
defined for them. That is the case for Apache httpd, and I suppose for
Tomcat.
In other words, it is for these methods to actually do something that
you would have to configure a handler (or a servlet) that contains code
which handles these methods and does something.
Actually, I just looked at what the Servlet Spec 3.0 has to say about
this (2.1), and it does not say much. In particular, it does not say
exactly what should happen when the servlet does not contain doPut
and/or doDelete methods.
I suppose that Tomcat could return a "405 Method Not Allowed" or a "501
Not Implemented" error code, but I am not sure what it does really.
Leo Donahue - PLANDEVX wrote:
> Thanks.
>
> Security audit day. Spent 3 hours making changes - waiting for results, when the tool
ended up reporting a false-positive for DELETE.
> Now I know I could have done nothing. Great. I still don't have warm fuzzies about
this.
>
> I think they used IBM Rational App Scan, not sure though.
>
> Leo
>
> -----Original Message-----
> From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
> Sent: Thursday, May 13, 2010 3:13 PM
> To: Tomcat Users List
> Subject: RE: Restrict http methods
>
>> From: Leo Donahue - PLANDEVX [mailto:LeoDonahue@mail.maricopa.gov]
>> Subject: Restrict http methods
>>
>> What do most people use to restrict PUT and DELETE http methods?
>>
>> 2. Set the attribute "readonly" to true in the default servlet in
>> web.xml
>
> The readonly attribute defaults to true, so most people do ... nothing.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and
is thus for use only by the intended recipient. If you received this in error, please contact
the sender and delete the e-mail and its attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
|