On 14/05/2010 00:28, André Warnier wrote: > Leo, > > normally in the default config of a webserver, these methods are by > default disabled, for the simple reason that there is no "handler" > defined for them. That is the case for Apache httpd, and I suppose for > Tomcat.
Nope. The default servlet supports both PUT and DELETE but they are blocked by default. > I suppose that Tomcat could return a "405 Method Not Allowed" or a "501 > Not Implemented" error code, but I am not sure what it does really. It returns a 403. Mark > > > Leo Donahue - PLANDEVX wrote: >> Thanks. >> >> Security audit day. Spent 3 hours making changes - waiting for >> results, when the tool ended up reporting a false-positive for DELETE. >> Now I know I could have done nothing. Great. I still don't have warm >> fuzzies about this. >> >> I think they used IBM Rational App Scan, not sure though. >> >> Leo >> -----Original Message----- >> From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: >> Thursday, May 13, 2010 3:13 PM >> To: Tomcat Users List >> Subject: RE: Restrict http methods >>> From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] >>> Subject: Restrict http methods >>> >>> What do most people use to restrict PUT and DELETE http methods? >>> >>> 2. Set the attribute "readonly" to true in the default servlet in >>> web.xml >> >> The readonly attribute defaults to true, so most people do ... nothing. >> >> - Chuck >> >> >> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE >> PROPRIETARY MATERIAL and is thus for use only by the intended >> recipient. If you received this in error, please contact the sender >> and delete the e-mail and its attachments from all computers. >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
