Re: Restrict http methods

André Warnier Fri, 14 May 2010 01:06:50 -0700

Mark Thomas wrote:

On 14/05/2010 00:28, André Warnier wrote:

Leo,


normally in the default config of a webserver, these methods are by
default disabled, for the simple reason that there is no "handler"
defined for them.  That is the case for Apache httpd, and I suppose for
Tomcat.


Nope. The default servlet supports both PUT and DELETE but they are
blocked by default.

I suppose that Tomcat could return a "405 Method Not Allowed" or a "501
Not Implemented" error code, but I am not sure what it does really.


It returns a 403.

Mark

Thanks.
Just for further information really :

If there is a webapp context say at /abc, with a servlet url-mapping of"/*", and this servlet does not have a doPut() method, does a PUTrequest to /abc get remapped to the default servlet ?


Leo Donahue - PLANDEVX wrote:

Thanks.

Security audit day.  Spent 3 hours making changes - waiting for
results, when the tool ended up reporting a false-positive for DELETE.
Now I know I could have done nothing.  Great.  I still don't have warm
fuzzies about this.

I think they used IBM Rational App Scan, not sure though.

Leo
-----Original Message-----
From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent:
Thursday, May 13, 2010 3:13 PM
To: Tomcat Users List
Subject: RE: Restrict http methods

From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov]
Subject: Restrict http methods

What do most people use to restrict PUT and DELETE http methods?

2. Set the attribute "readonly" to true in the default servlet in
web.xml

The readonly attribute defaults to true, so most people do ... nothing.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
PROPRIETARY MATERIAL and is thus for use only by the intended
recipient. If you received this in error, please contact the sender
and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Restrict http methods

Reply via email to