Sorry, not sure what you want an example of, and not sure what you mean when you ask what connectors I am using (not really an expert)
Using Tomcat 5.0.16. My workaround did pass the security scan. Strangely I had the same version of Tomcat on a different box where the allowTrace="false" did what it was supposed to. I was flummoxed when it didn't work n the new box. Iain Christopher Schultz-2 wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Ian, > > On 1/13/2010 12:37 PM, iainmac wrote: >> I need to disable TRACE to pass a security scan, so I added >> allowTrace="false" to all my connectors, but its still allowing TRACE! > > Can you give us an example? > > Recently, someone complained that the JSPServlet will allow /any/ HTTP > method, even methods that are not defined like: > > FOO /path/to/my.jsp HTTP/1.1 > > Teh FOO method ist allowed!!111!!!ELEVEN!! > > For whatever reason, the JSPServlet specifically allows any method, > including TRACE. > > I've never used allowTrace="false", though it /is/ the default. > >> I had to work around with urlrewrite and a jsp with 1 line which was >> response.sendError(response.SC_NOT_IMPLEMENTED , "NOT IMPLEMENTED"); > > And does this pass your security audit? > >> However I would prefer the allowTrace="false" to work properly! > > Agreed, though the documentation doesn't state what happens when > allowTrace="true" versus allowTrace="false": it just says "enabled or > disables the TRACE method" without describing the expected behavior. > >> Any ideas as to why its not working? > > Not without looking at the code. You are welcome to check it out. Which > connector(s) are you using? What version of Tomcat are you running? > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAktOK8AACgkQ9CaO5/Lv0PAYowCeIjb1OC3GuXl2FkrYUknvOPBP > aV0AmwdVlFQSfuSONNlgu0ga04/Qq82Z > =8Ku1 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > -- View this message in context: http://old.nabble.com/allowTrace%3D%22false%22-allowing-Trace-Method-tp27148410p27159680.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
