On 5/21/2013 11:01 AM, Marek Potociar wrote:
> Bill,
>
> FWIW, from a pure JAX-RS perspective, I do not see a reason why we should not support TRACE just because of someone's deficiency in a Servlet container implementation. TRACE is a valid HTTP method. I'm not aware of any restriction in that regard in Servlet spec either. Are you? TRACE support has been there in the JAX-RS 2.0 APIs for more than 2 years now!
>
> Also, I do not buy the security issue arguments. There are potential security issues with all HTTP methods, including GET and POST that are far more severe and none of those is a reason to not support GET or POST. Unless there is a clear restriction in a Servlet spec, I would suggest you to fix the Servlet container implementation. This is exactly the case where we would be "restricting a specification because of perceived implementation details" , which as you correctly pointed out in another email thread, "is just wrong".
>
I don't think taking security vulnerabilities seriously makes our
servlet container deficient especially for a rarely used HTTP method
like TRACE. I don't think JAX-RS would be hurt if TRACE support was
optional.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com