Hi Artnaseef , thank's for reply. I read the post<http://jetty.4.x6.nabble.com/Disable-HTTP-TRACE-in-Jetty-5-x-td12964.html> at jetty's forum before fall back on this forum. And seems like jetty 4.x/5.x needs you put the security constraint to disable TRACE while the 6.x and latest it's come by default.
In my case with apache-activemq-5.9.0 the jetty's version is "7.6.9.v20130131". Looking in conf/activemq.xml as reference all the connectors ( openwire, amqp, stomp, mqtt ) had TRACE disabled as a expected, maybe because those even ins't a HTTP over protocol. The ' <import resource="jetty.xml"/> ' line is explicit in 'activemq.xml'. But the "WS" (WebSocket) connector has a different behavior, its appear not importing the constraint from webdefault.xml file in Jetty. The point is Why except WebSocket port "61614' all the others protocols including those HTTP overs have TRACE method disabled correctly ? ... or at last they don't appears to vulnerability scans ... conf/activemq.xml: *<transportConnectors>* * <!-- DOS protection, limit concurrent connections to 1000 and frame size to 100MB -->* * <transportConnector name="openwire" uri="tcp://0.0.0.0:61616?maximumConnections=1000&wireFormat.maxFrameSize=104857600 <http://0.0.0.0:61616?maximumConnections=1000&wireFormat.maxFrameSize=104857600>"/>* * <transportConnector name="amqp" uri="amqp://0.0.0.0:5672?maximumConnections=1000&wireFormat.maxFrameSize=104857600 <http://0.0.0.0:5672?maximumConnections=1000&wireFormat.maxFrameSize=104857600>"/>* * <transportConnector name="stomp" uri="stomp://0.0.0.0:61613?maximumConnections=1000&wireFormat.maxFrameSize=104857600 <http://0.0.0.0:61613?maximumConnections=1000&wireFormat.maxFrameSize=104857600>"/>* * <transportConnector name="mqtt" uri="mqtt://0.0.0.0:1883?maximumConnections=1000&wireFormat.maxFrameSize=104857600 <http://0.0.0.0:1883?maximumConnections=1000&wireFormat.maxFrameSize=104857600>"/>* * <transportConnector name="ws" uri="ws://0.0.0.0:61614 <http://0.0.0.0:61614>?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>* * </transportConnectors>* *<import resource="jetty.xml"/>* Remembering that for the Security Area doesn't matter what is the real porpouse of this WebSocket port. They only can see the security issue and I can't argue against in effective manner. Here you are what is really happen in my tests for all ports opened by apache-activemq: --------------------------------------------------------------------------------------------- ( Not OK ) -sh-4.1$ telnet localhost 61614 Trying ::1... Connected to localhost. Escape character is '^]'. TRACE / HTTP/1.0 TEST TEST HTTP/1.1 200 OK Content-Type: message/http Content-Length: 26 Server: Jetty(7.6.9.v20130131) TRACE / HTTP/1.0 TEST: Connection closed by foreign host. --------------------------------------------------------------------------------------------- ( OK ! ) -sh-4.1$ telnet localhost 8161 Trying ::1... Connected to localhost. Escape character is '^]'. TRACE / HTTP/1.0 TEST TEST HTTP/1.1 404 Not Found Cache-Control: must-revalidate,no-cache,no-store Content-Type: text/html;charset=ISO-8859-1 Content-Length: 1267 Server: Jetty(7.6.9.v20130131) <html> <head> <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/> <title>Error 404 Not Found</title> </head> <body> <h2>HTTP ERROR: 404</h2> <p>Problem accessing /. Reason: <pre> Not Found</pre></p> <hr /><i><small>Powered by Jetty://</small></i> </body> </html> Connection closed by foreign host. --------------------------------------------------------------------------------------------- ( OK ! ) -sh-4.1$ telnet localhost 61616 Trying ::1... Connected to localhost. Escape character is '^]'. �ActiveMQ � MaxFrameSize@ CacheSize CacheEnabledSizePrefixDisabled MaxInactivityDurationInitalDelay'TcpNoDelayEnabledMaxInactivityDurationu0TightEncodingEnabledStackTraceEnabled Connection closed by foreign host. --------------------------------------------------------------------------------------------- ( OK ! but it's locked my shell ) -sh-4.1$ telnet localhost 5672 Trying ::1... Connected to localhost. Escape character is '^]'. TRACE / HTTP/1.0 host:localhost . TEST TEST .^C --------------------------------------------------------------------------------------------- ( OK ! but it's locked my shell too) -sh-4.1$ telnet localhost 61613 Trying ::1... Connected to localhost. Escape character is '^]'. TRACE / HTTP/1.0 host:localhost TEST TEST . ^X^C --------------------------------------------------------------------------------------------- ( OK ! but it's locked my shell too) -sh-4.1$ telnet localhost 1883 Trying ::1... Connected to localhost. Escape character is '^]'. TRACE / HTTP/1.0 host:localhost TEST TEST . ^C --------------------------------------------------------------------------------------------- Best regards, Edson M. Barbosa On Sat, Apr 5, 2014 at 11:52 AM, artnaseef [via ActiveMQ] < ml-node+s2283324n4680088...@n4.nabble.com> wrote: > Poking around the code, it looks like there is no way to configure this > without a code change. > > Reading the following post, > http://jetty.4.x6.nabble.com/Disable-HTTP-TRACE-in-Jetty-5-x-td12964.html, > it seems it may not be necessary though. The TRACE method by default, while > enabled, does not return content. > > Can you test and see if that satisfies the security issue? > > If disabling TRACE is needed, and my analysis of the need for a code > change is correct, then a jira entry would be the next best step. > > ------------------------------ > If you reply to this email, your message will be added to the discussion > below: > > http://activemq.2283324.n4.nabble.com/how-to-disable-TRACE-method-on-port-61614-tp4680056p4680088.html > To unsubscribe from how to disable TRACE method on port 61614, click > here<http://activemq.2283324.n4.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4680056&code=ZWRzb24ubWJhcmJvc2FAZ21haWwuY29tfDQ2ODAwNTZ8NTA3NzYwNTI3> > . > NAML<http://activemq.2283324.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> > -- View this message in context: http://activemq.2283324.n4.nabble.com/how-to-disable-TRACE-method-on-port-61614-tp4680056p4680129.html Sent from the ActiveMQ - User mailing list archive at Nabble.com.