Joe Luo created CXF-7114:
----------------------------
Summary: Disable HTTP TRACE method on CXF http-jetty transport
Key: CXF-7114
URL: https://issues.apache.org/jira/browse/CXF-7114
Project: CXF
Issue Type: Bug
Components: Transports
Affects Versions: 3.0.4
Reporter: Joe Luo
Priority: Minor
We had a security scan and found that standalone CXF endpoint using http-jetty
transport still had HTTP TRACE method enabled. It is considered as a security
risk.
It's not a problem if the CXF http-jetty transport is used with Pax Web as Pax
Web had already had it's embedded Jetty engine's HTTP TRACE method disabled by
default.
So we should disable HTTP TRACE method in JettyHTTPHandler.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
