Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Disable invalid HTTP method error page

Actually I did have a ConstraintSecurityHandler in there. It is on the ServletContextHandler if you create it with the security property/option. But since I noticed that my doPut/doDelete/doTrace methods in the servlet (which did a response.sendError(405)) where called anyway I assumed I was doing something wrong and removed that part from the code without noticing anything being different.

Since I have only one servlet class in my system it does not matter much either way. The banned methods do return error status codes so I think I am fine.

Cheers,

Silvio


On 01/15/2016 04:41 PM, Joakim Erdfelt wrote:
If you are using a WebAppContext, then the ConstraintSecurityHandler can be used.



Joakim Erdfelt / joakim@xxxxxxxxxxx

On Fri, Jan 15, 2016 at 4:59 AM, Silvio Bierman <sbierman@xxxxxxxxxxxxxxxxxx> wrote:
Hello Jan,

Thanks for the reply. At least I now know that Jetty would deny with an HTTP status instead of an error page, which probably means the methods are not blocked properly.

I was so stupid not to mention that I am using Jetty in embedded mode. I do not use the web-application stuff nor do I have a web.xml. I must be doing something wrong with my embedding code. I will dive into this and come back here if I have questions.

Cheers,

Silvio



On 01/15/2016 03:16 AM, Jan Bartel wrote:
Hi Silvio,

Both the jetty unit tests and informal testing show that jetty will return an error 403 Forbidden. For example, see: https://github.com/eclipse/jetty.project/blob/master/jetty-security/src/test/java/org/eclipse/jetty/security/SpecExampleConstraintTest.java#L264

Section 13.8.4.2 of the 3.1 Servlet Spec requires that 403 Forbidden is returned for denied uncovered methods:

"When the deny-uncovered-http-methods flag is set in the web.xml of an
application, the container must deny any HTTP protocol method when it is used
with a request URL for which the HTTP method is uncovered at the combined
security constraint that applies to the url-pattern that is the best match for the
request URL. The denied request shall be rejected as forbidden and a 403
(SC_FORBIDDEN) status code shall be returned."

Hope that helps,
Jan

On 14 January 2016 at 21:54, Silvio Bierman <sbierman@xxxxxxxxxxxxxxxxxx> wrote:
Hello all,

I am using Jetty 9.3.6.v20151106 and use ConstraintSecurityHandler to explicitly cover HTTP methods. I have called securityHandler.setDenyUncoveredHttpMethods(true).

The problem is that Jetty does not actually deny the methods with a status 405 but instead returns an HTML page containing an error message. Security scanners employed by several of my customers flag this as allowing potentially harmful methods.

How can I get Jetty to 405 uncovered methods? Do I have to cover them and 405 them myself?

Thanks,

Silvio

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users



--
Jan Bartel <janb@xxxxxxxxxxx>
www.webtide.com
Expert assistance from the creators of Jetty and CometD



_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users



_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


Back to the top