2 Replies Latest reply on Jun 9, 2016 4:17 AM by ctomc

Wildfly 10, Disabling TRACE Method

jdestef Jun 8, 2016 4:41 PM

Hi,

I've seen the post about disabling TRACE/TRACK methods in Wildfly 10. Unfortunately it doesn't seem to work.

I'm using the standalone-full configuration. I've set the disallowed-methods attribute in the http-listener:

<buffer-cache name="default"/>

<http-listener name="default" socket-binding="http" redirect-socket="https" disallowed-methods="TRACE TRACK"/>

I set a break point in io.undertow.server.handlers.DisallowedMethodHandler in the handleRequest method.

When I run curl -v -X TRACE http://localhost:8080/ the break point is not reached and I get the following output:

* Trying 127.0.0.1...

* Connected to localhost (127.0.0.1) port 8080 (#0)

> TRACE / HTTP/1.1

> Host: localhost:8080

> User-Agent: curl/7.46.0

> Accept: */*

* Empty reply from server

* Connection #0 to host localhost left intact

curl: (52) Empty reply from server

When I run curl -v -X TRACK http://localhost:8080/ the break point is reached and I get the following output:

Trying 127.0.0.1...

* Connected to localhost (127.0.0.1) port 8080 (#0)

> TRACK / HTTP/1.1

> Host: localhost:8080

> User-Agent: curl/7.46.0

> Accept: */*

< HTTP/1.1 405 Method Not Allowed

< Connection: keep-alive

< Content-Length: 0

< Date: Wed, 08 Jun 2016 20:35:43 GMT

* Connection #0 to host localhost left intact

Any help would be really appreciated.

Thanks

1. Re: Wildfly 10, Disabling TRACE Method

nickarls Jun 9, 2016 2:16 AM (in response to jdestef)

Haven't used the feature but have you tried a comma separated list? If it works, file a JIRA that says it should complain if there are spaces in the string ;-)
Actions
2. Re: Wildfly 10, Disabling TRACE Method

ctomc Jun 9, 2016 4:17 AM (in response to jdestef)

Given you configured server to have disallowed TRACE & TRACK (btw TRACE is disabled by default)
response 405 you get is completely correct behavior.
Actions