Hi, Thanks for your answer and fix for TRACE, OPTIONS methods. But what about my other question: "I need to limit this list of allowed methods for my app, eg. only to: GET, POST."
You wrote something about "disallowed-methods": - In Pax Web 7 looks like it's only for Jetty, nothing for Tomcat and "disallowed-methods" attribute is not handled for Undertow (it is in Pax Web 8) but I don't understand how I can use it? PS. I mistook the HTTP error code in my previous message - I wrote about 403 instead of 405, but I see that you corrected it in your answer :) -- Best regards, Daniel poniedziałek, 10 stycznia 2022 o 13:45:53 UTC+1 gr.gr...@gmail.com napisał(a): > Hello > > Thanks for the summary of the problem - actually I never thought about > OPTIONS method ;) > > So let me present the picture: > > - TRACE method is disabled at Pax Web level itself and it was > implemented with https://github.com/ops4j/org.ops4j.pax.web/issues/563 > / PAXWEB-229 >10 years ago. I have no idea why HTTP/500 (Internal Server > Error) instead of HTTP/405 (Method Not Allowed) was chosen... > - Because runtimes (Jetty/Tomcat/Undertow) aren't aware of PAXWEB-229, > it means OPTIONS still returns TRACE > - In Pax Web 8 I've reimplemented the TRACE method removal using > runtime-specific mechanisms: > - Jetty: > org.ops4j.pax.web.service.jetty.internal.PaxWebServletHandler#doHandle() > - Tomcat: > org.apache.catalina.connector.Connector#setAllowTrace(false) (no way to > configure it to true) > - Undertow: io.undertow.server.handlers.DisallowedMethodsHandler - > configured using http(s)-listener/@disallowed-methods attribute > (defaults > to "TRACE"). > - In Pax Web 7 looks like it's only for Jetty, nothing for Tomcat and > "disallowed-methods" attribute is not handled for Undertow (it is in Pax > Web 8) > > So you made me realize, that OPTIONS method may return TRACE on Pax Web 8 > for Jetty runtime. It should be fine on Tomcat and Undertow, but I've > created https://github.com/ops4j/org.ops4j.pax.web/issues/1664 to check > this. > > regards > Grzegorz Grzybek > > wt., 28 gru 2021 o 17:32 Daniel Stoch <daniel...@gmail.com> napisał(a): > >> Hi, >> >> I am using PaxWeb 7.2.x and servlet registration using whiteboard. >> By default Jetty allows to call OPTIONS http method which returns: >> >> *Allow*: GET, HEAD, POST, TRACE, OPTIONS >> For other known methods a proper 403 error is returned. >> For other unknown methods (eg. BLABLA) 501 is returned (maybe not the >> best options from security reasons). >> For TRACE method PaxWeb raises an exception and return 500 (I don't not >> why it is blocked in PaxWeb code?). >> >> I need to limit this list of allowed methods for my app, eg. only to: >> GET, POST. >> And then server should return 403 for all others. >> >> I can implement a dedicated servlet filter for this, but maybe it is >> another a better way to do this? Especially when the OPTIONS method will be >> available server should return only configured Allowed methods in response >> header. >> >> Is there any options for doing this in PaxWeb 7 using whiteboard? Or >> maybe it should be done directly in Jetty configuration using jetty.xml? >> >> -- >> Best regards, >> Daniel Stoch >> >> -- >> -- >> ------------------ >> OPS4J - http://www.ops4j.org - op...@googlegroups.com >> >> --- >> You received this message because you are subscribed to the Google Groups >> "OPS4J" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ops4j+un...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ops4j/329ce887-9d33-411b-8797-cae4ab9aa08bn%40googlegroups.com >> >> <https://groups.google.com/d/msgid/ops4j/329ce887-9d33-411b-8797-cae4ab9aa08bn%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- -- ------------------ OPS4J - http://www.ops4j.org - ops4j@googlegroups.com --- You received this message because you are subscribed to the Google Groups "OPS4J" group. To unsubscribe from this group and stop receiving emails from it, send an email to ops4j+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ops4j/4a21ca2e-b9cb-420d-9d20-47a9679ecd86n%40googlegroups.com.
