Disable HTTP TRACE in Jetty 5.x

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Disable HTTP TRACE in Jetty 5.x

lneelaka
I have seen some questions on this topic in the forum, but I am not clear about the status on this topic. So, I'd like to ask the question(s) again:

a) Is there a way to disable HTTP TRACE in the Jetty 5.x versions through a configuration option?

b) HTTP TRACE in Jetty 5.x appeart to be on, but there does not seem to be a security issue, in the sense that it does not appear to be echoing the client request. Is my understanding correct?

c) Has the HTTP TRACE configuration issue been addressed in any of the recent versions of Jetty? If yes, which one?

Many thanks!
Neel
Reply | Threaded
Open this post in threaded view
|

Re: Disable HTTP TRACE in Jetty 5.x

Jan Bartel
lneelaka,


In jetty5 the trace method is implemented for the Default servlet
but will not echo back any content unless you call Server.setTrace(true)
eg via your jetty.xml file. If you wish to disable it completely, you can
always do a security constraint:

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>NoTrace</web-resource-name>
      <url-pattern>/*</url-pattern>
      <http-method>TRACE</http-method>
    </web-resource-collection>  
    <auth-constraint>
    </auth-constraint>
  </security-constraint>

You can put that in webdefault.xml in order to have it apply to all
webapps.


In jetty6, the trace method is implemented on the DefaultServlet thus:

    protected void doTrace(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException
    {
        resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
    }

So if you want it to do something, you'd have to subclass the DefaultServlet.

Of course, your own servlets need to take account of TRACE requests appropriately
(or use the security constraint to forbid them).

regards
Jan

lneelaka wrote:

> I have seen some questions on this topic in the forum, but I am not clear
> about the status on this topic. So, I'd like to ask the question(s) again:
>
> a) Is there a way to disable HTTP TRACE in the Jetty 5.x versions through a
> configuration option?
>
> b) HTTP TRACE in Jetty 5.x appeart to be on, but there does not seem to be a
> security issue, in the sense that it does not appear to be echoing the
> client request. Is my understanding correct?
>
> c) Has the HTTP TRACE configuration issue been addressed in any of the
> recent versions of Jetty? If yes, which one?
>
> Many thanks!
> Neel


--
Jan Bartel, Webtide LLC | [hidden email] | http://www.webtide.com

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Jetty-support mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-support
Reply | Threaded
Open this post in threaded view
|

Re: Disable HTTP TRACE in Jetty 5.x

Jan Bartel
I should have said that with jetty6, we've already added the security constraint
into webdefaults.xml so you don't have to do it.

Jan

Jan Bartel wrote:

> lneelaka,
>
>
> In jetty5 the trace method is implemented for the Default servlet
> but will not echo back any content unless you call Server.setTrace(true)
> eg via your jetty.xml file. If you wish to disable it completely, you can
> always do a security constraint:
>
>   <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>NoTrace</web-resource-name>
>       <url-pattern>/*</url-pattern>
>       <http-method>TRACE</http-method>
>     </web-resource-collection>  
>     <auth-constraint>
>     </auth-constraint>
>   </security-constraint>
>
> You can put that in webdefault.xml in order to have it apply to all
> webapps.
>
>
> In jetty6, the trace method is implemented on the DefaultServlet thus:
>
>     protected void doTrace(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException
>     {
>         resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
>     }
>
> So if you want it to do something, you'd have to subclass the DefaultServlet.
>
> Of course, your own servlets need to take account of TRACE requests appropriately
> (or use the security constraint to forbid them).
>
> regards
> Jan
>
> lneelaka wrote:
>> I have seen some questions on this topic in the forum, but I am not clear
>> about the status on this topic. So, I'd like to ask the question(s) again:
>>
>> a) Is there a way to disable HTTP TRACE in the Jetty 5.x versions through a
>> configuration option?
>>
>> b) HTTP TRACE in Jetty 5.x appeart to be on, but there does not seem to be a
>> security issue, in the sense that it does not appear to be echoing the
>> client request. Is my understanding correct?
>>
>> c) Has the HTTP TRACE configuration issue been addressed in any of the
>> recent versions of Jetty? If yes, which one?
>>
>> Many thanks!
>> Neel
>
>


--
Jan Bartel, Webtide LLC | [hidden email] | http://www.webtide.com

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Jetty-support mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-support
Reply | Threaded
Open this post in threaded view
|

Re: Disable HTTP TRACE in Jetty 5.x

Mohan.Radhakrishnan
In reply to this post by Jan Bartel
Hi,

<security-constraint>
    <web-resource-collection>
      <web-resource-name>Disable TRACE</web-resource-name>
      <url-pattern>/</url-pattern>
      <http-method>TRACE</http-method>
    </web-resource-collection>
    <auth-constraint/>
  </security-constraint>

This thread is old but I was checking one aspect. What is the expected response from jetty when we type this command ?

The following are the responses after enabling the security constraint.

TRACE / HTTP/1.0

HTTP/1.1 200 OK
Date: Mon, 21 Jun 2010 08:08:19 GMT
Server: Jetty/2.4.jetty (Windows XP/5.1 x86 java/1.6.0_18
Content-Length: 0
Allow: GET, POST, HEAD, OPTIONS, TRACE

TRACE / HTTP/1.0
TEST - Type 'ENTER'
TEST - Type 'ENTER'



HTTP/1.1 200 OK
Date: Mon, 21 Jun 2010 08:05:47 GMT
Server: Jetty/2.4.jetty (Windows XP/5.1 x86 java/1.6.0_18
Content-Type: message/http
Connection: close

Thanks,
Mohan