Yes Chris, It does access a JSP page. But even I was expecting to stop TRACE by specifically adding allowTrace="false". And as I've checked, tomcat 5 is giving me this behavior properly but not 7.0.22.
Thanks & Regards Sachin -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, February 22, 2013 10:15 AM To: Tomcat Users List Subject: Re: tomcat 7.0.22 - allowTrace="false" not working -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Sachin, On 2/18/13 1:19 PM, Sachin wrote: > I'm testing it with w3af(http://w3af.sourceforge.net) since that's > what our security certifying vendor tests application against. > > And it logs - The URL "http://localhost:8080/app/"; has the following > allowed methods: GET, HEAD, OPTIONS, POST, TRACE. This information was > found in the request with id 19. Does the request to /app/ perhaps access a JSP page? IIRC, JSP pages will respond to *any* HTTP method, even non-standard ones like FOOBAR and such. I would have expected allowTrace="false" to stop TRACE specifically, though. I believe this has recently been clarified in the spec, and JSPs will be (at least by default?) restricted to HEAD, GET, and POST in the next spec release. (Just from memory: I don't have a reference). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREIAAYFAlEm9+kACgkQ9CaO5/Lv0PDv3gCgsYVdEJDIt/xti7Leg1q0yaSW R3wAniqfsRofnVNNJHZT9St7iGkf6O/E =civy -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
