[
https://issues.apache.org/jira/browse/CXF-7114?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15632948#comment-15632948
]
Joe Luo commented on CXF-7114:
------------------------------
{quote}
And should it be 405 status instead of 500 ?
{quote}
Yeah, you were right, It should return 405 instead of 500. please find a new
patch.txt attached. It sets Jetty Server Request "handled" status to true and
HttpServletResponse to status 405 instead of simply throwing back a
ServletException.
{quote}
Should it be optionally disabled (you mentioned Pax Web disabling it by
default) ?
{quote}
Yeah, Pax Web disabled it by default. But it was just simply throwing back a
ServletException so it was status of 500 returned back to client.
I do not mind to have it optionally disabled. But I doubt that the TRACE method
is still used by anyone now. Particularly, it is only for standalone CXF
endpoints using http-jetty transport.
> Disable HTTP TRACE method on CXF http-jetty transport
> -----------------------------------------------------
>
> Key: CXF-7114
> URL: https://issues.apache.org/jira/browse/CXF-7114
> Project: CXF
> Issue Type: Bug
> Components: Transports
> Affects Versions: 3.0.4
> Reporter: Joe Luo
> Priority: Minor
> Attachments: patch.txt
>
>
> We had a security scan and found that standalone CXF endpoint using
> http-jetty transport still had HTTP TRACE method enabled. It is considered as
> a security risk.
> It's not a problem if the CXF http-jetty transport is used with Pax Web as
> Pax Web had already had it's embedded Jetty engine's HTTP TRACE method
> disabled by default.
> So we should disable HTTP TRACE method in JettyHTTPHandler. Please find
> attached patch.txt for more detail.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
