Actually I did have a ConstraintSecurityHandler in there. It is on the
ServletContextHandler if you create it with the security
property/option. But since I noticed that my doPut/doDelete/doTrace
methods in the servlet (which did a response.sendError(405)) where
called anyway I assumed I was doing something wrong and removed that
part from the code without noticing anything being different.
Since I have only one servlet class in my system it does not matter much
either way. The banned methods do return error status codes so I think I
am fine.
Cheers,
Silvio
On 01/15/2016 04:41 PM, Joakim Erdfelt wrote:
If you are using a WebAppContext, then the ConstraintSecurityHandler
can be used.
Joakim Erdfelt / [email protected] <mailto:[email protected]>
On Fri, Jan 15, 2016 at 4:59 AM, Silvio Bierman
<[email protected] <mailto:[email protected]>> wrote:
Hello Jan,
Thanks for the reply. At least I now know that Jetty would deny
with an HTTP status instead of an error page, which probably means
the methods are not blocked properly.
I was so stupid not to mention that I am using Jetty in embedded
mode. I do not use the web-application stuff nor do I have a
web.xml. I must be doing something wrong with my embedding code. I
will dive into this and come back here if I have questions.
Cheers,
Silvio
On 01/15/2016 03:16 AM, Jan Bartel wrote:
Hi Silvio,
Both the jetty unit tests and informal testing show that jetty
will return an error 403 Forbidden. For example, see:
https://github.com/eclipse/jetty.project/blob/master/jetty-security/src/test/java/org/eclipse/jetty/security/SpecExampleConstraintTest.java#L264
Section 13.8.4.2 of the 3.1 Servlet Spec requires that 403
Forbidden is returned for denied uncovered methods:
/"When the deny-uncovered-http-methods flag is set in the web.xml
of an/
/application, the container must deny any HTTP protocol method
when it is used/
/with a request URL for which the HTTP method is uncovered at the
combined/
/security constraint that applies to the url-pattern that is the
best match for the/
/request URL. The denied request shall be rejected as forbidden
and a 403/
/(SC_FORBIDDEN) status code shall be returned."
/
Hope that helps,
Jan
On 14 January 2016 at 21:54, Silvio Bierman
<[email protected]
<mailto:[email protected]>> wrote:
Hello all,
I am using Jetty 9.3.6.v20151106 and use
ConstraintSecurityHandler to explicitly cover HTTP methods. I
have called securityHandler.setDenyUncoveredHttpMethods(true).
The problem is that Jetty does not actually deny the methods
with a status 405 but instead returns an HTML page containing
an error message. Security scanners employed by several of my
customers flag this as allowing potentially harmful methods.
How can I get Jetty to 405 uncovered methods? Do I have to
cover them and 405 them myself?
Thanks,
Silvio
_______________________________________________
jetty-users mailing list
[email protected] <mailto:[email protected]>
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
--
Jan Bartel <[email protected] <mailto:[email protected]>>
www.webtide.com <http://www.webtide.com>
/Expert assistance from the creators of Jetty and CometD/
_______________________________________________
jetty-users mailing list
[email protected] <mailto:[email protected]>
To change your delivery options, retrieve your password, or unsubscribe
from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
[email protected] <mailto:[email protected]>
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
