-
1. Re: Disable HTTP TRACE / TRACK in Wildfly for a Windows server
ctomc Jun 1, 2015 6:52 AM (in response to sophos_data_encryption)what do you mean by HTTP trace?
access logging?
request dumping?
something else?
-
2. Re: Disable HTTP TRACE / TRACK in Wildfly for a Windows server
sophos_data_encryption Jun 1, 2015 8:35 AM (in response to ctomc)I mean "HTTP Track / Trace", these are the only details I have.
A customer of ours ran a Windows Server PCI compliance scan for an audit using a product called SecurityMetrics PCI Scan and these were the results:
Description: HTTP TRACE / TRACK Methods Allowed
Synopsis: Debugging functions are enabled on the remote web server.
Impact: The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that are used to debug web server connections.If there are separate instructions for disabling this in access logging / request dumping / something else do you have any instructions?
Thanks
-
3. Re: Disable HTTP TRACE / TRACK in Wildfly for a Windows server
ctomc Jun 1, 2015 8:59 AM (in response to sophos_data_encryption)ah, now i manage to decrypt what you need
you will need to edit your application's web.xml file
to list only allowed http methods.
you probably need something likethis
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<!-- no auth-constraint tag here -->
</security-constraint>see Understanding Web Security Using web.xml Via Use Cases | Javalobby and http://stackoverflow.com/questions/8069640/whitelist-security-constraint-in-web-xml
for more
-
4. Re: Disable HTTP TRACE / TRACK in Wildfly for a Windows server
sophos_data_encryption Jun 1, 2015 11:54 AM (in response to ctomc)Thanks Tomaz, I'll see if that works
-
6. Re: Disable HTTP TRACE / TRACK in Wildfly for a Windows server
ctomc Jun 2, 2015 5:54 AM (in response to sophos_data_encryption)that looks fine if you want to have POST & GET only available for /restricted/* urls.
if you need it for whole application then than url-pattern should be /*
-
7. Re: Disable HTTP TRACE / TRACK in Wildfly for a Windows server
sophos_data_encryption Jun 8, 2015 10:40 AM (in response to ctomc)Hi Tomaz, sorry for the slow reply.
Can I just confirm that if the URL Pattern is changed to "/*" that this will disable HTTP track / trace?
Thanks
-
8. Re: Disable HTTP TRACE / TRACK in Wildfly for a Windows server
arusstam Jul 29, 2015 11:26 AM (in response to ctomc) -
9. Re: Disable HTTP TRACE / TRACK in Wildfly for a Windows server
ctomc Jul 29, 2015 11:35 AM (in response to arusstam)support for that was added in early WF10 builds
-
10. Re: Disable HTTP TRACE / TRACK in Wildfly for a Windows server
arusstam Jul 29, 2015 11:37 AM (in response to ctomc)Thank you very much.