Re: [jetty-users] Disable invalid HTTP method error page

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] Disable invalid HTTP method error page

From: Silvio Bierman <sbierman@xxxxxxxxxxxxxxxxxx>
Date: Fri, 15 Jan 2016 12:59:03 +0100
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1

Hello Jan,

Thanks for the reply. At least I now know that Jetty would deny with an HTTP status instead of an error page, which probably means the methods are not blocked properly.

I was so stupid not to mention that I am using Jetty in embedded mode. I do not use the web-application stuff nor do I have a web.xml. I must be doing something wrong with my embedding code. I will dive into this and come back here if I have questions.

Cheers,

Silvio

On 01/15/2016 03:16 AM, Jan Bartel wrote:

Hi Silvio,

Both the jetty unit tests and informal testing show that jetty will return an error 403 Forbidden. For example, see: https://github.com/eclipse/jetty.project/blob/master/jetty-security/src/test/java/org/eclipse/jetty/security/SpecExampleConstraintTest.java#L264

Section 13.8.4.2 of the 3.1 Servlet Spec requires that 403 Forbidden is returned for denied uncovered methods:

"When the deny-uncovered-http-methods flag is set in the web.xml of an
application, the container must deny any HTTP protocol method when it is used
with a request URL for which the HTTP method is uncovered at the combined
security constraint that applies to the url-pattern that is the best match for the
request URL. The denied request shall be rejected as forbidden and a 403
(SC_FORBIDDEN) status code shall be returned."

Hope that helps,

Jan

On 14 January 2016 at 21:54, Silvio Bierman <sbierman@xxxxxxxxxxxxxxxxxx> wrote:

Hello all,

I am using Jetty 9.3.6.v20151106 and use ConstraintSecurityHandler to explicitly cover HTTP methods. I have called securityHandler.setDenyUncoveredHttpMethods(true).

The problem is that Jetty does not actually deny the methods with a status 405 but instead returns an HTML page containing an error message. Security scanners employed by several of my customers flag this as allowing potentially harmful methods.

How can I get Jetty to 405 uncovered methods? Do I have to cover them and 405 them myself?

Thanks,

Silvio

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

--

Jan Bartel <janb@xxxxxxxxxxx>

www.webtide.com
Expert assistance from the creators of Jetty and CometD
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

Follow-Ups:
- Re: [jetty-users] Disable invalid HTTP method error page
  - From: Joakim Erdfelt

References:
- [jetty-users] Disable invalid HTTP method error page
  - From: Silvio Bierman
- Re: [jetty-users] Disable invalid HTTP method error page
  - From: Jan Bartel

Prev by Date: Re: [jetty-users] Disable invalid HTTP method error page
Next by Date: Re: [jetty-users] Disable invalid HTTP method error page
Previous by thread: Re: [jetty-users] Disable invalid HTTP method error page
Next by thread: Re: [jetty-users] Disable invalid HTTP method error page
Index(es):
- Date
- Thread

Breadcrumbs