-----Original Message----- From: André Warnier [mailto:a...@ice-sa.com] Sent: Friday, May 14, 2010 5:07 AM To: Tomcat Users List Subject: Re: Restrict http methods
Mark Thomas wrote: > On 14/05/2010 09:06, André Warnier wrote: >> Mark Thomas wrote: >>> On 14/05/2010 00:28, André Warnier wrote: >>>> Leo, >>>> >>>> normally in the default config of a webserver, these methods are by >>>> default disabled, for the simple reason that there is no "handler" >>>> defined for them. That is the case for Apache httpd, and I suppose >>>> for Tomcat. >>> Nope. The default servlet supports both PUT and DELETE but they are >>> blocked by default. >>> >>>> I suppose that Tomcat could return a "405 Method Not Allowed" or a >>>> "501 Not Implemented" error code, but I am not sure what it does really. >>> It returns a 403. >>> >>> Mark >>> >> Thanks. >> Just for further information really : >> If there is a webapp context say at /abc, with a servlet url-mapping >> of "/*", and this servlet does not have a doPut() method, does a PUT >> request to /abc get remapped to the default servlet ? > > No. All requests, regardless of HTTP method, get passed to a Servlet's > service() method. From the reference to doPut(), I assume that the > servlet in question is extending javax.servlet.http.HttpServlet > > Rather than me describe what that code does: > http://svn.apache.org/viewvc/tomcat/trunk/java/javax/servlet/http/Http > Servlet.java?view=annotate > >Allright, I think I get it now. My mindset is just not Java- or object-enough >oriented for me to think of that right away. >So a servlet subclasses (or implements) HttpServlet, and if it does not itself >override the doPut and doDelete methods, the ones from the base class (or >interface) >apply. >And these return 403. >Thanks for enlightening me. >Leo, are you still with us ? >;-) > Yes. I wasn't implementing doPUT or doDELETE and was scratching my head trying to figure out how the security scan was able to indicate those methods were available. Pid - see, I told you I have a lot to learn.... Btw, I had no idea that the code is published on the web. Very cool. Now you've got me on a diversion... So many questions.... --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
