Re: tomcat 7.0.22 - allowTrace="false" not working

Mon, 18 Feb 2013 10:55:49 -0800 

On 18/02/2013 18:19, Sachin wrote:

I'm testing it with w3af(http://w3af.sourceforge.net) since that's what our
security certifying vendor tests application against.

And it logs -  The URL "http://localhost:8080/app/"; has the following
allowed methods: GET, HEAD, OPTIONS, POST, TRACE. This information was found
in the request with id 19.
That looks like a false positive although I'm not sure how it is happening. You'd have to dig into the test to look at the HTTP request and response headers to see what is goign on. 

Mark





Thanks & Regards
Sachin

-----Original Message-----
From: Mark Thomas [mailto:ma...@apache.org]
Sent: Monday, February 18, 2013 11:34 PM
To: Tomcat Users List
Subject: Re: tomcat 7.0.22 - allowTrace="false" not working

On 18/02/2013 15:00, Sachin wrote:

Hi,

I want to disable http TRACE method in my application which is running
on tomcat 7.0.22 web-server.
Though apache tomcat configuration for http says that it is set to
false by default, it allows TRACE. I tried setting it to false
specifically, but still it allows.
I searched through your mail archives hosted on 4-5 sites and general
web but could not find a working solution. Please help.

Here is 'connector' (only 1) from my server.xml

   <Connector port="8080" protocol="HTTP/1.1" server="SACHIN"
        connectionTimeout="20000" allowTrace="false"
                  redirectPort="8443" />


How are you testing this?

I just tested 7.0.x trunk and see the documented behaviour. Further, there
has been no change in the code that handles this in a number of years.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to