3 Replies Latest reply on Jun 11, 2006 12:10 AM by jbtposc

    Jboss Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS !!

    dkdkdk

      HTTP/1.1 200 OK
      X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
      Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS
      Content-Length: 0
      Date: Tue, 05 Apr 2005 03:33:19 GMT
      Server: Apache-Coyote/1.1

      >> I wonder the following HTTP method:'PUT,DELETE,TRACE' is active? <<

      + HTTP method 'PUT' method may allow clients to save files on the web server.
      + HTTP method 'DELETE' may allow clients to remove files on the web server.
      + HTTP method 'TRACE' is typically only used for debugging. It should be disabled.

      -----------------

      who can tell more ?

        • 1. Re: Jboss Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTION
          starksm64

          The DELETE and PUT are not allowed by the default servlet unless its readonly mode has been set to false:

          DELETE / HTTP/1.1
          Host: localhost
          
          HTTP/1.1 403 Forbidden
          X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.1 (build: CVSTag=JBoss_4_0_1 date=200412230944)
          Content-Type: text/html;charset=utf-8
          Content-Length: 964
          Date: Tue, 05 Apr 2005 15:09:35 GMT
          Server: Apache-Coyote/1.1
          


          You can use the standard web.xml security settings to control what http methods are allowed in general:

          <web-app>
          ...
          
           <security-constraint>
           <web-resource-collection>
           <web-resource-name>Restricted</web-resource-name>
           <description>Declarative security tests</description>
           <url-pattern>/*</url-pattern>
           <http-method>HEAD</http-method>
           <http-method>GET</http-method>
           <http-method>POST</http-method>
           </web-resource-collection>
           <user-data-constraint>
           <description>no description</description>
           <transport-guarantee>NONE</transport-guarantee>
           </user-data-constraint>
           </security-constraint>
          </web-app>
          



          • 2. Re: Jboss Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTION
            dkdkdk

            Thanks your reply.

            Yes. I have tested by nikto.pl/telnet.

            in fact, 'Delete' is forbidden.

            then I think Jboss AS give the delusive Response.(?)

            • 3. Re: Jboss Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTION
              jbtposc

              I have my web.xml configured as

              <security-constraint id="SecurityConstraint_1">
              <web-resource-collection id="WebResourceCollection_1">
              <web-resource-name>mysecure</web-resource-name>
              <url-pattern>/myservlet</url-pattern>
              <http-method>GET</http-method>
              <http-method>POST</http-method>
              </web-resource-collection>
              <user-data-constraint id="UserDataConstraint_1">
              <transport-guarantee>NONE</transport-guarantee>
              </user-data-constraint>
              </security-constraint>


              but I still get Allow: GET, HEAD, POST, TRACE, OPTIONS ?
              I only want to allow GET and POST, any suggestions on it?

              TIA.