Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 80712 invoked from network); 14 May 2010 08:06:51 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 14 May 2010 08:06:51 -0000 Received: (qmail 75646 invoked by uid 500); 14 May 2010 08:06:47 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 75604 invoked by uid 500); 14 May 2010 08:06:47 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 75593 invoked by uid 99); 14 May 2010 08:06:47 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 14 May 2010 08:06:47 +0000 X-ASF-Spam-Status: No, hits=-0.9 required=10.0 tests=AWL,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of aw@ice-sa.com designates 212.85.38.228 as permitted sender) Received: from [212.85.38.228] (HELO tor.combios.es) (212.85.38.228) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 14 May 2010 08:06:39 +0000 Received: from localhost (localhost [127.0.0.1]) by tor.combios.es (Postfix) with ESMTP id EBD81226190 for ; Fri, 14 May 2010 10:05:28 +0200 (CEST) Received: from tor.combios.es ([127.0.0.1]) by localhost (tor.combios.es [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9ajxVh47SPCN for ; Fri, 14 May 2010 10:05:28 +0200 (CEST) Received: from [192.168.245.129] (p549EA59A.dip0.t-ipconnect.de [84.158.165.154]) by tor.combios.es (Postfix) with ESMTPA id 9910622615E for ; Fri, 14 May 2010 10:05:28 +0200 (CEST) Message-ID: <4BED046F.2030601@ice-sa.com> Date: Fri, 14 May 2010 10:06:07 +0200 From: =?ISO-8859-1?Q?Andr=E9_Warnier?= Reply-To: Tomcat Users List User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: Restrict http methods References: <99C8B2929B39C24493377AC7A121E21F98E49F06E1@USEA-EXCH8.na.uis.unisys.com> <4BEC8B23.3000404@ice-sa.com> <4BECFF1F.1070804@apache.org> In-Reply-To: <4BECFF1F.1070804@apache.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Mark Thomas wrote: > On 14/05/2010 00:28, Andr� Warnier wrote: >> Leo, >> >> normally in the default config of a webserver, these methods are by >> default disabled, for the simple reason that there is no "handler" >> defined for them. That is the case for Apache httpd, and I suppose for >> Tomcat. > > Nope. The default servlet supports both PUT and DELETE but they are > blocked by default. > >> I suppose that Tomcat could return a "405 Method Not Allowed" or a "501 >> Not Implemented" error code, but I am not sure what it does really. > > It returns a 403. > > Mark > Thanks. Just for further information really : If there is a webapp context say at /abc, with a servlet url-mapping of "/*", and this servlet does not have a doPut() method, does a PUT request to /abc get remapped to the default servlet ? >> >> Leo Donahue - PLANDEVX wrote: >>> Thanks. >>> >>> Security audit day. Spent 3 hours making changes - waiting for >>> results, when the tool ended up reporting a false-positive for DELETE. >>> Now I know I could have done nothing. Great. I still don't have warm >>> fuzzies about this. >>> >>> I think they used IBM Rational App Scan, not sure though. >>> >>> Leo >>> -----Original Message----- >>> From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com] Sent: >>> Thursday, May 13, 2010 3:13 PM >>> To: Tomcat Users List >>> Subject: RE: Restrict http methods >>>> From: Leo Donahue - PLANDEVX [mailto:LeoDonahue@mail.maricopa.gov] >>>> Subject: Restrict http methods >>>> >>>> What do most people use to restrict PUT and DELETE http methods? >>>> >>>> 2. Set the attribute "readonly" to true in the default servlet in >>>> web.xml >>> The readonly attribute defaults to true, so most people do ... nothing. >>> >>> - Chuck >>> >>> >>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE >>> PROPRIETARY MATERIAL and is thus for use only by the intended >>> recipient. If you received this in error, please contact the sender >>> and delete the e-mail and its attachments from all computers. >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >>> For additional commands, e-mail: users-help@tomcat.apache.org >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >>> For additional commands, e-mail: users-help@tomcat.apache.org >>> >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >> For additional commands, e-mail: users-help@tomcat.apache.org >> > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org