Hi, >Is there any way to prevent the server from responding to these methods? I >ran the same scan tests on one of our Apache boxes and it can back complete >dead on the PUT and DELETE methods i.e. it didn't respond in any way - >that's the behaviour we're looking for. Would the same not be possible on >Tomcat standalone?
Please define "completely dead" more specifically: did your scans time out? Return with a 404 error? Another HTTP response code? You can do a variety of things, depending on how portable you want to be. I like the security-constraint approach. Another possibility is a simple filter (javax.servlet.Filter, portable) or Valve (tomcat-specific, but earlier in the request processing pipeline which might be key for you, and also slightly more performant), which simply checks the request method (HttpServletRequest#getMethod) and rejects the request if needed in whatever way you prefer. Going further down the customization path would be modifying the Coyote connector itself to reject requests with certain methods. This would be a generalization of the current allowTrace functionality. If you do a nice patch for this feel free to suggest it back to us as an enhancement ;) Yoav Shapira This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]