On Mon, Sep 27, 2021 at 1:03 PM Mark Thomas <ma...@apache.org> wrote: > > Hi all, > > I've been having some conversations at $work about Tomcat's handling of > TRACE requests and the allowTrace option on the Connector. Something > that was said in that discussion got me thinking. Why do we have special > handling for TRACE requests on the Connector? Why not use a security > constraint in the global web.xml? > > I've done a quick test, setting allowTrace to true on the Connector and > adding the following to the global web.xml: > > <security-constraint> > <web-resource-collection> > <url-pattern>/*</url-pattern> > <http-method>TRACE</http-method> > </web-resource-collection> > <auth-constraint /> > </security-constraint> > > This blocks TRACE requests as expected. > > What do the folks here think about deprecating allowTrace on the > Connector for 10.0.x and removing it (and the special handling in > HttpServlet) in 10.1.x onwards - replacing it with the security > constraint above.
It might not matter much these days, but this still looks like it would be considerably less efficient (for a flag that will actually never be set to false, right ?). Rémy > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
