How to know if the trace feature is enabled in apache tomcat 7.0?

Question

If trace is enabled then what is the impact of that option on the server and I need the solution for preventing applications from deployment security misconfigurations by disabling the trace feature.

Answer 1

Probably you don't need to look at "trace" debugging level in Tomcat (that is named "FINEST" instead), but in web application deployed on Tomcat. Logger in webapp determines what kind of logs are added. Anyway, if you want to filter your logs because you don't have possibility to configure webapp logs, in "conf" folder there is file "logging.properties" where you can setup in detail how to manage application-specific logs. E.g.

5mywebapp.domain.org.apache.juli.FileHandler.level = FINE
5mywebapp.domain.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
5mywebapp.domain.org.apache.juli.FileHandler.prefix = mywebapp.
[...]
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/mywebapp].level = FINE
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/mywebapp].handlers = 5mywebapp.domain.org.apache.juli.FileHandler

let Tomcat add logs for webapp under /mywebapp on a different log file. Clearly, performances will change, depending to the type of logs you want to include. Further details for Tomcat 7 here: https://tomcat.apache.org/tomcat-7.0-doc/logging.html

UPDATE: if you refer to the Tomcat Connectors option "allowTrace", then this refers to the possibility for Tomcat to accept TRACE requests. Tomcat 7 disables it by default, and option is Tomcat-dependent, indeed you can work on your web.xml to be sure to stop such requests. Further hints here: How to TEST if TRACE, OPTIONS http methods are disabled in Tomcat 7 and indirect answer here: Tomcat security-constraints TRACE inconsistent and finally here (even if referred to Tomcat 6): Disabling PUT TRACE DELETE request in Apache Tomcat 6.0