Re: TRACE/TRACK methods

Mark Lenz Thu, 11 Sep 2003 13:45:41 -0700

Thanks, that seems to have done the trick.

Mark Lenz
Software Engineer
Control Systems Group
Pierce Manufacturing, Inc.
(920) 832-3523
[EMAIL PROTECTED]



|---------+---------------------------->
|         |           Tim Funk         |
|         |           <[EMAIL PROTECTED]|
|         |           rg>              |
|         |                            |
|         |           09/11/2003 03:24 |
|         |           PM               |
|         |           Please respond to|
|         |           "Tomcat Users    |
|         |           List"            |
|         |                            |
|---------+---------------------------->
  
>-----------------------------------------------------------------------------------------------------------------------|
  |                                                                                    
                                   |
  |       To:       Tomcat Users List <[EMAIL PROTECTED]>                              
                      |
  |       cc:                                                                          
                                   |
  |       Subject:  Re: TRACE/TRACK methods                                            
                                   |
  
>-----------------------------------------------------------------------------------------------------------------------|




I think this *might* work ... Otherwise google works very nice ...

<security-constraint>
   <web-resource-collection>
     <web-resource-name>cowbell</web-resource-name>
     <url-pattern>/*</url-pattern>
     <http-method>TRACE</http-method>
   </web-resource-collection>
   <auth-constraint>
     <role-name></role-name>
   </auth-constraint>
</security-constraint>

-Tim

Mark Lenz wrote:

> I'm not sure exactly how to do this.  The Servlet Spec is pretty vague on
> how to add a security-constraint denying access via an http-method.
Could
> you give me an example?
> Thanks.
>
> Mark Lenz
> Software Engineer
> Control Systems Group
> Pierce Manufacturing, Inc.
> (920) 832-3523
> [EMAIL PROTECTED]
>
>
> |---------+---------------------------->
> |         |           Tim Funk         |
> |         |           <[EMAIL PROTECTED]|
> |         |           rg>              |
> |         |                            |
> |         |           09/11/2003 11:44 |
> |         |           AM               |
> |         |           Please respond to|
> |         |           "Tomcat Users    |
> |         |           List"            |
> |         |                            |
> |---------+---------------------------->
>   >
-----------------------------------------------------------------------------------------------------------------------|

>   |
|
>   |       To:       Tomcat Users List <[EMAIL PROTECTED]>
|
>   |       cc:
|
>   |       Subject:  Re: TRACE/TRACK methods
|
>   >
-----------------------------------------------------------------------------------------------------------------------|

>
>
>
>
> You can add a security constraint in web.xml to disable TRACE.
>
> -Tim
>
> Mark Lenz wrote:
>
>>Our company conducted a security audit and Tomcat was reported as
>>supporting TRACE and TRACK.  It said, "It has been shown that servers
>>supporting this method are subject to cross-site-scripting attacks,
>
> dubbed
>
>>XST for 'Cross-Site-Tracing', when used in conjunction with various
>>weaknesses in browsers."  I have been assigned the task of turning off
>
> this
>
>>support, but I have searched Google, tomcat-user archives and the Tomcat
>>documentation to no avail.  Does anyone know how to disable these
>
> methods?
>
>>Thanks.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
>
>
> The information contained in this electronic mail message is confidential
> information and intended only for the use of the individual or entity
named
> above, and may be privileged.  If the reader of this message is not the
> intended recipient, you are hereby notified that any dissemination,
> distribution or copying of this communication is strictly prohibited.  If
> you have received this transmission in error, please  contact the sender
> immediately, delete this material from your computer and destroy all
> related paper media.  Please note that the documents transmitted are not
> intended to be binding until a hard copy has been manually signed by all
> parties.
> Thank you.
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





The information contained in this electronic mail message is confidential
information and intended only for the use of the individual or entity named
above, and may be privileged.  If the reader of this message is not the
intended recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited.  If
you have received this transmission in error, please  contact the sender
immediately, delete this material from your computer and destroy all
related paper media.  Please note that the documents transmitted are not
intended to be binding until a hard copy has been manually signed by all
parties.
Thank you.




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: TRACE/TRACK methods

Reply via email to