Re: Restrict http methods

Thu, 13 May 2010 16:29:14 -0700 

Leo,
normally in the default config of a webserver, these methods are by default disabled, for the simple reason that there is no "handler" defined for them. That is the case for Apache httpd, and I suppose for Tomcat. 


In other words, it is for these methods to actually do something that 
you would have to configure a handler (or a servlet) that contains code 
which handles these methods and does something.



Actually, I just looked at what the Servlet Spec 3.0 has to say about 
this (2.1), and it does not say much.  In particular, it does not say 
exactly what should happen when the servlet does not contain doPut 
and/or doDelete methods.
I suppose that Tomcat could return a "405 Method Not Allowed" or a "501 
Not Implemented" error code, but I am not sure what it does really.



Leo Donahue - PLANDEVX wrote:

Thanks.

Security audit day.  Spent 3 hours making changes - waiting for results, when 
the tool ended up reporting a false-positive for DELETE.
Now I know I could have done nothing.  Great.  I still don't have warm fuzzies 
about this.

I think they used IBM Rational App Scan, not sure though.


Leo 


-----Original Message-----

From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] 
Sent: Thursday, May 13, 2010 3:13 PM

To: Tomcat Users List

Subject: RE: Restrict http methods 


From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov]
Subject: Restrict http methods

What do most people use to restrict PUT and DELETE http methods?


2. Set the attribute "readonly" to true in the default servlet in 
web.xml


The readonly attribute defaults to true, so most people do ... nothing.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to