Hi all,
I've been having some conversations at $work about Tomcat's handling of
TRACE requests and the allowTrace option on the Connector. Something
that was said in that discussion got me thinking. Why do we have special
handling for TRACE requests on the Connector? Why not use a security
constraint in the global web.xml?
I've done a quick test, setting allowTrace to true on the Connector and
adding the following to the global web.xml:
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
This blocks TRACE requests as expected.
What do the folks here think about deprecating allowTrace on the
Connector for 10.0.x and removing it (and the special handling in
HttpServlet) in 10.1.x onwards - replacing it with the security
constraint above.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
