I'm testing it with w3af(http://w3af.sourceforge.net) since that's what our security certifying vendor tests application against.
And it logs - The URL "http://localhost:8080/app/"; has the following allowed methods: GET, HEAD, OPTIONS, POST, TRACE. This information was found in the request with id 19. Thanks & Regards Sachin -----Original Message----- From: Mark Thomas [mailto:ma...@apache.org] Sent: Monday, February 18, 2013 11:34 PM To: Tomcat Users List Subject: Re: tomcat 7.0.22 - allowTrace="false" not working On 18/02/2013 15:00, Sachin wrote: > Hi, > > I want to disable http TRACE method in my application which is running > on tomcat 7.0.22 web-server. > Though apache tomcat configuration for http says that it is set to > false by default, it allows TRACE. I tried setting it to false > specifically, but still it allows. > I searched through your mail archives hosted on 4-5 sites and general > web but could not find a working solution. Please help. > > Here is 'connector' (only 1) from my server.xml > > <Connector port="8080" protocol="HTTP/1.1" server="SACHIN" > connectionTimeout="20000" allowTrace="false" > redirectPort="8443" /> How are you testing this? I just tested 7.0.x trunk and see the documented behaviour. Further, there has been no change in the code that handles this in a number of years. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
