Thanks Konstantin. That did the trick. I've now added a filter to override response to OPTIONS request, to not have 'TRACE' in 'Allows' header. Now the tests shows expected results.
Thanks all for your responses. Thanks & Regards Sachin -----Original Message----- From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: Sunday, February 24, 2013 1:58 AM To: Tomcat Users List Subject: Re: tomcat 7.0.22 - allowTrace="false" not working 2013/2/22 Nick Williams <nicho...@nicholaswilliams.net>: > >> On Feb 22, 2013, at 7:49 AM, Konstantin Kolinko wrote: >> >> One example of false positive is that if you send an OPTIONS request >> to almost any servlet, the "Allow" header in its response by default >> will include the TRACE method (as implemented in >> javax.servlet.http.HttpServlet class). > > > Konstantin, I had said Monday [1] that I had observed Tomcat doing > that before, but Mark corrected my and pointed out that that was fixed > in Tomcat three years ago, and that the 7.0.x branch has never behaved that way. > *scratches head* > > [1] > http://tomcat.markmail.org/search/?q=allowTrace#query:allowTrace+page: > 2+mid:bvqkjjps2nvzui3z+state:results > [2] > http://tomcat.markmail.org/search/?q=allowTrace#query:allowTrace+page: > 2+mid:gg2h43ihalbdzi4j+state:results > 1. Please try to do not use HTML formatting when sending e-mails to the list, as said in http://tomcat.apache.org/lists.html 2. In Markmail you can get short and pretty "permanent" URL for a message or for a thread if you click on "link chain" icon at the top-right above a message or above a thread. E.g. [1] -> http://markmail.org/message/bvqkjjps2nvzui3z [2] -> http://markmail.org/message/gg2h43ihalbdzi4j 3. Response to the "OPTIONS" requests is responsibility of servlets, not of Tomcat. The Tomcat's DefaultServlet does not list TRACE in its OPTIONS response. Other servlets - do. With 7.0.x, sending OPTIONS /examples/servlets/servlet/HelloWorldExample HTTP/1.0 results in HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Allow: GET, HEAD, TRACE, OPTIONS Content-Length: 0 Date: Tue, 19 Feb 2013 10:28:57 GMT Connection: close TRACE /examples/servlets/servlet/HelloWorldExample HTTP/1.0 results in HTTP/1.1 405 Method Not Allowed Server: Apache-Coyote/1.1 Allow: GET, OPTIONS, HEAD Content-Length: 0 Date: Tue, 19 Feb 2013 10:38:07 GMT Connection: close If anybody is concerned with the OPTIONS response, one easy way to provide your own response to OPTIONS request is to configure a Filter. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
