jsr339-experts@jax-rs-spec.java.net

[jsr339-experts] Re: [jax-rs-spec users] Re: remove TRACE support

From: Bill Burke <bburke_at_redhat.com>
Date: Tue, 21 May 2013 12:12:18 -0400

On 5/21/2013 11:58 AM, Marek Potociar wrote:
>
> On May 21, 2013, at 5:46 PM, Bill Burke <bburke_at_redhat.com> wrote:
>
>>
>>
>> On 5/21/2013 11:01 AM, Marek Potociar wrote:
>>> Bill,
>>>
>>> FWIW, from a pure JAX-RS perspective, I do not see a reason why we should not support TRACE just because of someone's deficiency in a Servlet container implementation. TRACE is a valid HTTP method. I'm not aware of any restriction in that regard in Servlet spec either. Are you? TRACE support has been there in the JAX-RS 2.0 APIs for more than 2 years now!
>>>
>>> Also, I do not buy the security issue arguments. There are potential security issues with all HTTP methods, including GET and POST that are far more severe and none of those is a reason to not support GET or POST. Unless there is a clear restriction in a Servlet spec, I would suggest you to fix the Servlet container implementation. This is exactly the case where we would be "restricting a specification because of perceived implementation details" , which as you correctly pointed out in another email thread, "is just wrong".
>>>
>>
>> I don't think taking security vulnerabilities seriously makes our servlet container deficient especially for a rarely used HTTP method like TRACE. I don't think JAX-RS would be hurt if TRACE support was optional.
>
> I'm not taking security lightly, I'm just not considering it as an argument for the sake of this discussion. Perhaps I would even not push back so hard if we started the discussion 2 years ago. Now you want us to rewrite more than 100 of TCK tests and update JAX-RS API less then a week before a release. And for what reason? So that we accommodate arbitrary implementation decisions made by your Servlet team. Isn't it simpler and more fair to just expose a configuration option in your Servlet request processing engine that enables/disables TRACE support?
>

Not much I could do about it. My unit tests use an embedded servlet
container that supports TRACE, so this didn't show up until I started
running the TCK this month after the April 30th TCK drop. 


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.