Harsha,
Next time, don't post security issues to the dev@ list. Please only use
the security@ list for reporting vulnerabilities. Please see below.
On 11/8/24 12:34 PM, Harsha Vardhan Sai T wrote:
I'm reaching out about an issue I've noticed in Tomcat related to
handling requests that aren't properly authorized. Specifically, when a
GET request is sent to the |j_security_check| endpoint (instead of a
POST request), Tomcat is returning a |200 OK| status code. However, the
expected response should be a |405 Method Not Allowed| status code,
since |j_security_check| is intended to accept only POST requests.
Is there a specification document or reference which supports your claim
that the expected response status code should be 405?
My reading of Servlet Spec 6.1 section 13.6.3 is that j_security_check
is *REQUIRED* to return 200. (Specifically, see step #5 in the 8-step
authentication process.)
*Here are the details:*
* *Tomcat Version*: 9.0.95
* *Issue*: When a GET request is sent to the |j_security_check|
endpoint, Tomcat responds with a |200 OK| instead of a |405 Method
Not Allowed|.
* *Steps to Reproduce*:
1. Deploy a web application using form-based authentication.
2. Send a GET request to the |j_security_check| endpoint.
3. Observe the response status code.
I’ve implemented a custom solution to handle this on my end, but I
believe it would be better if Tomcat could handle this directly. This
would improve security, as accepting GET requests on sensitive endpoints
can allow attackers to bypass protections.
Could you please let me know if there’s a way to configure Tomcat to
return the correct status code for this scenario, or if there are any
plans to address this issue in future updates?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
