[ https://issues.apache.org/jira/browse/CXF-7114?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15632948#comment-15632948 ]
Joe Luo commented on CXF-7114: ------------------------------ {quote} And should it be 405 status instead of 500 ? {quote} Yeah, you were right, It should return 405 instead of 500. please find a new patch.txt attached. It sets Jetty Server Request "handled" status to true and HttpServletResponse to status 405 instead of simply throwing back a ServletException. {quote} Should it be optionally disabled (you mentioned Pax Web disabling it by default) ? {quote} Yeah, Pax Web disabled it by default. But it was just simply throwing back a ServletException so it was status of 500 returned back to client. I do not mind to have it optionally disabled. But I doubt that the TRACE method is still used by anyone now. Particularly, it is only for standalone CXF endpoints using http-jetty transport. > Disable HTTP TRACE method on CXF http-jetty transport > ----------------------------------------------------- > > Key: CXF-7114 > URL: https://issues.apache.org/jira/browse/CXF-7114 > Project: CXF > Issue Type: Bug > Components: Transports > Affects Versions: 3.0.4 > Reporter: Joe Luo > Priority: Minor > Attachments: patch.txt > > > We had a security scan and found that standalone CXF endpoint using > http-jetty transport still had HTTP TRACE method enabled. It is considered as > a security risk. > It's not a problem if the CXF http-jetty transport is used with Pax Web as > Pax Web had already had it's embedded Jetty engine's HTTP TRACE method > disabled by default. > So we should disable HTTP TRACE method in JettyHTTPHandler. Please find > attached patch.txt for more detail. -- This message was sent by Atlassian JIRA (v6.3.4#6332)