glassfish_at_javadesktop.org wrote:
> Thank you, I was reading in the API documentation and discovered the same thing about the doOptions method. I guess what I need to do is override the default servlet, so that when serving static resources I don't allow HTTP PUT by not implementing it.
>
> What are my options for overriding or replacing the default servlet?
Martin, I wouldn't do it. The DefaultServlet is in use by many thousands
(if not millions) and thus thoroughly tested. And should nevertheless an
actual security problem still exist, it is much more likely that any
security researcher will inform the GlassFish team than inform a company
using a servlet the have written themself. As long as you cannot use PUT
for anything useful I assume it is pretty irrelevant what the answer to
an OPTIONS requests is.
That said it might be helpful for us to see what your security scanner
complained about. Can you post a log file (the relevant parts) or s.th.
comparable? Which product did you use?
Nevertheless it might be useful to implement a better doOptions method
in the DefaultServlet itself.
I will be offline for a few days but I will have a look at your answers
and comments afterwards.
--
Wolfram Rittmeyer