I am not. My embedding code is very minimal and apart from the connector
stuff (which is a bit more elaborate) consists only of:
ServletHolder
ServletContextHandler
ContextHandlerCollection
Server
But I have noticed something I overlooked: the status codes returned are
indicative of an error but there is also HTML content in the response. I
was unaware that this was normal and expected no content to be returned
in case of an error status. Strangely I never looked into this.
Since curl does not show the status code by default I concluded too
quickly that the methods where not denied properly, which they are.
Now I am wondering why three independent security scans that where done
on my systems report my HTTP server allowing PUT/DELETE and TRACE when I
see a 4xx status being returned.
Still investigating...
Thanks.
Silvio
On 01/15/2016 04:41 PM, Joakim Erdfelt wrote:
If you are using a WebAppContext, then the ConstraintSecurityHandler
can be used.
Joakim Erdfelt / [email protected] <mailto:[email protected]>
On Fri, Jan 15, 2016 at 4:59 AM, Silvio Bierman
<[email protected] <mailto:[email protected]>> wrote:
Hello Jan,
Thanks for the reply. At least I now know that Jetty would deny
with an HTTP status instead of an error page, which probably means
the methods are not blocked properly.
I was so stupid not to mention that I am using Jetty in embedded
mode. I do not use the web-application stuff nor do I have a
web.xml. I must be doing something wrong with my embedding code. I
will dive into this and come back here if I have questions.
Cheers,
Silvio
On 01/15/2016 03:16 AM, Jan Bartel wrote:
Hi Silvio,
Both the jetty unit tests and informal testing show that jetty
will return an error 403 Forbidden. For example, see:
https://github.com/eclipse/jetty.project/blob/master/jetty-security/src/test/java/org/eclipse/jetty/security/SpecExampleConstraintTest.java#L264
Section 13.8.4.2 of the 3.1 Servlet Spec requires that 403
Forbidden is returned for denied uncovered methods:
/"When the deny-uncovered-http-methods flag is set in the web.xml
of an/
/application, the container must deny any HTTP protocol method
when it is used/
/with a request URL for which the HTTP method is uncovered at the
combined/
/security constraint that applies to the url-pattern that is the
best match for the/
/request URL. The denied request shall be rejected as forbidden
and a 403/
/(SC_FORBIDDEN) status code shall be returned."
/
Hope that helps,
Jan
On 14 January 2016 at 21:54, Silvio Bierman
<[email protected]
<mailto:[email protected]>> wrote:
Hello all,
I am using Jetty 9.3.6.v20151106 and use
ConstraintSecurityHandler to explicitly cover HTTP methods. I
have called securityHandler.setDenyUncoveredHttpMethods(true).
The problem is that Jetty does not actually deny the methods
with a status 405 but instead returns an HTML page containing
an error message. Security scanners employed by several of my
customers flag this as allowing potentially harmful methods.
How can I get Jetty to 405 uncovered methods? Do I have to
cover them and 405 them myself?
Thanks,
Silvio
_______________________________________________
jetty-users mailing list
[email protected] <mailto:[email protected]>
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
--
Jan Bartel <[email protected] <mailto:[email protected]>>
www.webtide.com <http://www.webtide.com>
/Expert assistance from the creators of Jetty and CometD/
_______________________________________________
jetty-users mailing list
[email protected] <mailto:[email protected]>
To change your delivery options, retrieve your password, or unsubscribe
from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
[email protected] <mailto:[email protected]>
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
