joeweder wrote: > Thanks markt-2. The idea of using a ServletFilter is a good one but will not > work because the application (we've inherited) does not have a single entry > point (dispatch/front-controller) yuck. So I'd have to patch it several > places.
You can map filters to /* Mark > > What I wound up doing was making a little custom valve (HttpMethodValve) and > added it to the Engine in our server.xml. The valve allows only the methods > specified (see allow=""), gives a 403 otherwise, and reports only the > allow(ed) methods in response to OPTIONS. Dropped this little jar in > tomcat/lib and rock-n-roll. > > <Engine name="Catalina" defaultHost="localhost"> > <Valve className="org.apache.catalina.valves.AccessLogValve" ...... > /> > <Valve className="org.apache.catalina.valves.HttpMethodValve" > allow="GET,POST,OPTIONS"/> > <Host name="localhost" > .... > /> > </Engine> > > > markt-2 wrote: >> joeweder wrote: >>> I have PUTs disabled but they are still being published as supported in >>> response to the OPTIONS method. >> Which is correct as per the HTTP spec. >> >>> Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS >>> Server: Apache-Coyote/1.1 >>> >>> Actually doing a PUT returns a 403. But "in-house" security scanner just >>> looks at response from the OPTIONS method. >> Then your security scanner needs to be fixed. >> >>> Is there any way to get Tomcat 6 from responding to the OPTIONS that it >>> supports the PUT? >> You would need to provide your own DefaultServlet implementation. You >> should be >> able to take Tomcat's and override the appropriate method. >> >> Alternatively, you should be able to achieve the same effect with a Filter >> and a >> wrapped response. >> >> Mark >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
