tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Restrict http methods
Date Fri, 14 May 2010 12:06:52 GMT
Mark Thomas wrote:
> On 14/05/2010 09:06, André Warnier wrote:
>> Mark Thomas wrote:
>>> On 14/05/2010 00:28, André Warnier wrote:
>>>> Leo,
>>>> normally in the default config of a webserver, these methods are by
>>>> default disabled, for the simple reason that there is no "handler"
>>>> defined for them.  That is the case for Apache httpd, and I suppose for
>>>> Tomcat.
>>> Nope. The default servlet supports both PUT and DELETE but they are
>>> blocked by default.
>>>> I suppose that Tomcat could return a "405 Method Not Allowed" or a "501
>>>> Not Implemented" error code, but I am not sure what it does really.
>>> It returns a 403.
>>> Mark
>> Thanks.
>> Just for further information really :
>> If there is a webapp context say at /abc, with a servlet url-mapping of
>> "/*", and this servlet does not have a doPut() method, does a PUT
>> request to /abc get remapped to the default servlet ?
> No. All requests, regardless of HTTP method, get passed to a Servlet's
> service() method. From the reference to doPut(), I assume that the
> servlet in question is extending javax.servlet.http.HttpServlet
> Rather than me describe what that code does:
Allright, I think I get it now.  My mindset is just not Java- or 
object-enough oriented for me to think of that right away.
So a servlet subclasses (or implements) HttpServlet, and if it does not 
itself override the doPut and doDelete methods, the ones from the base 
class (or interface) apply.
And these return 403.

Thanks for enlightening me.

Leo, are you still with us ?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message