-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Sachin,

On 2/18/13 1:19 PM, Sachin wrote:
> I'm testing it with w3af(http://w3af.sourceforge.net) since that's
> what our security certifying vendor tests application against.
> 
> And it logs -  The URL "http://localhost:8080/app/"; has the
> following allowed methods: GET, HEAD, OPTIONS, POST, TRACE. This
> information was found in the request with id 19.

Does the request to /app/ perhaps access a JSP page? IIRC, JSP pages
will respond to *any* HTTP method, even non-standard ones like FOOBAR
and such. I would have expected allowTrace="false" to stop TRACE
specifically, though.

I believe this has recently been clarified in the spec, and JSPs will
be (at least by default?) restricted to HEAD, GET, and POST in the
next spec release. (Just from memory: I don't have a reference).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEAREIAAYFAlEm9+kACgkQ9CaO5/Lv0PDv3gCgsYVdEJDIt/xti7Leg1q0yaSW
R3wAniqfsRofnVNNJHZT9St7iGkf6O/E
=civy
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to