On 14/05/2010 09:06, André Warnier wrote: > Mark Thomas wrote: >> On 14/05/2010 00:28, André Warnier wrote: >>> Leo, >>> >>> normally in the default config of a webserver, these methods are by >>> default disabled, for the simple reason that there is no "handler" >>> defined for them. That is the case for Apache httpd, and I suppose for >>> Tomcat. >> >> Nope. The default servlet supports both PUT and DELETE but they are >> blocked by default. >> >>> I suppose that Tomcat could return a "405 Method Not Allowed" or a "501 >>> Not Implemented" error code, but I am not sure what it does really. >> >> It returns a 403. >> >> Mark >> > Thanks. > Just for further information really : > If there is a webapp context say at /abc, with a servlet url-mapping of > "/*", and this servlet does not have a doPut() method, does a PUT > request to /abc get remapped to the default servlet ?
No. All requests, regardless of HTTP method, get passed to a Servlet's service() method. From the reference to doPut(), I assume that the servlet in question is extending javax.servlet.http.HttpServlet Rather than me describe what that code does: http://svn.apache.org/viewvc/tomcat/trunk/java/javax/servlet/http/HttpServlet.java?view=annotate Mark > > >>> >>> Leo Donahue - PLANDEVX wrote: >>>> Thanks. >>>> >>>> Security audit day. Spent 3 hours making changes - waiting for >>>> results, when the tool ended up reporting a false-positive for DELETE. >>>> Now I know I could have done nothing. Great. I still don't have warm >>>> fuzzies about this. >>>> >>>> I think they used IBM Rational App Scan, not sure though. >>>> >>>> Leo >>>> -----Original Message----- >>>> From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: >>>> Thursday, May 13, 2010 3:13 PM >>>> To: Tomcat Users List >>>> Subject: RE: Restrict http methods >>>>> From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] >>>>> Subject: Restrict http methods >>>>> >>>>> What do most people use to restrict PUT and DELETE http methods? >>>>> >>>>> 2. Set the attribute "readonly" to true in the default servlet in >>>>> web.xml >>>> The readonly attribute defaults to true, so most people do ... nothing. >>>> >>>> - Chuck >>>> >>>> >>>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE >>>> PROPRIETARY MATERIAL and is thus for use only by the intended >>>> recipient. If you received this in error, please contact the sender >>>> and delete the e-mail and its attachments from all computers. >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>> >>>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
