0

I am trying to disable TRACE and OPTIONS methods in the Tomcat level. I've been trying out different ways to implement this but get the same result on all cases during testing. I'm not very familiar with telnet (or any networking) but my manner of testing in cmd prompt is "telnet localhost 8080", then I paste the TRACE / HTTP/1.0 then press enter twice. Any help is greatly appreciated.

1.) NO CHANGES in CATALINA_HOME/conf/web.xml

2.) Adding security constraint in CATALINA_HOME/conf/web.xml

<security-constraint>
    <web-resource-collection>
       <web-resource-name>All Access</web-resource-name>
       <url-pattern>/*</url-pattern>
       <http-method>OPTIONS</http-method>
       <http-method>TRACE</http-method>
    </web-resource-collection>
    <auth-constraint />
</security-constraint>

3.) Add allowTrace="false" in Connector tag of CATALINA_HOME/conf/server.xml

4.) Add allowTrace="false" in Connector tag of CATALINA_HOME/conf/server.xml & Add xml to CATALINA_HOME/conf/web.xml's Default Servlet tag

<init-param>
   <param-name>readonly</param-name>
   <param-value>true</param-value>
</init-param>

Results on all cases

TRACE / HTTP/1.0 (404 Not Found)

OPTIONS / HTTP/1.0 (404 Not Found)

TRACE /(name of webservice) HTTP/1.0 (302 Found)

OPTIONS /(name of webservice) HTTP/1.0 (302 Found)

Tomcat was restarted after every change by issuing shutdown.bat and startup.bat. I'm obviously doing something wrong (testing/config) because I get the same result no matter what I change. I've read that I should be expecting a 405 error to signify that the http methods have been disabled.

Vasil Lukach
  • 3,658
  • 3
  • 31
  • 40
Michael Sanchez
  • 1,215
  • 1
  • 11
  • 19

2 Answers2

1

Those results are as expected when you don't have a ROOT web application deployed. If you follow the redirect you get with the 302 responses to a valid resource you'll start to see the 405 responses.

It comes down to the order that Tomcat performs the various checks and that the Mapper is one of the first components to process a request (it determines the Host, web application and Servlet to route the request to).

The first 2 return 404s because you don't have a default web application. The Mapper returns a 404 as early as possible (for efficiency) so you don't get as far as the code that checks to see if TRACE is enabled.

The second 2 return 302s because again the Mapper is redirecting /name-of-web-service to /name-of-web-service/. Again this happens as early as possible and again it is before the checks to see if TRACE is enabled.

If you perform you tests with a path that exists, you should see the 405 you expect.

Mark Thomas
  • 16,339
  • 1
  • 39
  • 60
  • Wow that did it! In the other remote machine (where it works) there was a ROOT path in the Tomcat, compared to where I was testing that did not. I was actually testing "TRACE /" instead of name, but after reading your comment, I adjusted and made it "TRACE //" and it worked! Got the 405 error I was looking for. Thank you for your explanation! – Michael Sanchez Jun 06 '14 at 01:54
0

I applied the following configuration:

    <security-constraint>
    <web-resource-collection>
    <web-resource-name>restricted methods</web-resource-name>
    <url-pattern>/*</url-pattern>
    <http-method>TRACE</http-method>
    <http-method>OPTIONS</http-method>
    </web-resource-collection>
    <auth-constraint />
    </security-constraint>

In the case the HTTPS OPTIONS, the result was 403 forbidden. 

    nc <host> <port>
    OPTIONS / HTTP/1.0

In the case the TRACE, I got a HTTP 405 – Method Not Allowed. Which means that it is disabled, in fact it is disabled by default en el Server.xml

Kendall Dávila
  • 11
  • 1
  • 2