users@glassfish.java.net

RE: TRACE/TRACK vulnerability

From: Lund, Holly <holly.lund_at_hq.doe.gov>
Date: Tue, 27 May 2008 09:16:59 -0400

 
I assumed track would be the same so
I added this under htttp-service

        <property name="accessLoggingEnabled" value="true"/>
        <property name="traceEnabled" value="false"/>
        <property name="trackEnabled" value="false"/>
        <property name="putEnabled" value="false"/>
        <property name="deleteEnabled" value="false"/>
      </http-service>

I am getting ths is server log

[#|2008-05-27T08:35:30.387-0400|WARNING|sun-appserver9.1|javax.enterpris
e.system.container.web|_ThreadID=10;_ThreadName=main;putEnabled;_Request
ID=64caaa43-6729-4ecc-8573-7ad257ee597a;|WEB0304: Unsupported
http-service property (putEnabled) is being ignored|#]

[#|2008-05-27T08:35:30.387-0400|WARNING|sun-appserver9.1|javax.enterpris
e.system.container.web|_ThreadID=10;_ThreadName=main;deleteEnabled;_Requ
estID=64caaa43-6729-4ecc-8573-7ad257ee597a;|WEB0304: Unsupported
http-service property (deleteEnabled) is being ignored|#]

[#|2008-05-27T08:35:30.391-0400|WARNING|sun-appserver9.1|javax.enterpris
e.system.container.web|_ThreadID=10;_ThreadName=main;trackEnabled;_Reque
stID=64caaa43-6729-4ecc-8573-7ad257ee597a;|WEB0304: Unsupported
http-service property (trackEnabled) is being ignored|#]

Can I disabel track also?


Holly Lund
301-903-1174
202-586-4431

-----Original Message-----
From: Jeanfrancois.Arcand_at_Sun.COM [mailto:Jeanfrancois.Arcand_at_Sun.COM]
Sent: Tuesday, March 25, 2008 12:25 PM
To: users_at_glassfish.dev.java.net
Subject: Re: TRACE/TRACK vulnerability

Hi,

Lund, Holly wrote:
> How do you secure this vulnerability?

do you want to disable trace? If yes, just add, in domain.xml under

<http-service...>
....
     <property name="traceEnabled" value="false"/> </http-service>

Thanks

-- Jeanfrancois

>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
For additional commands, e-mail: users-help_at_glassfish.dev.java.net
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.